Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ProductBOMpq_v4.xlsm

Overview

General Information

Sample name:ProductBOMpq_v4.xlsm
Analysis ID:1590598
MD5:588e6d97831f43a943ee268f00f99006
SHA1:d637a7ffeed63ab16c2ba3b88c9dd66ae8b47e48
SHA256:e833398f914087d210f8052de75b34b50f1223e4db18ac0702e8365406250f2b
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Document exploit detected (process start blacklist hit)
Sigma detected: Suspicious Microsoft Office Child Process
Abnormal high CPU Usage
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Excel Network Connections
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Suspicious Office Outbound Connections
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w11x64_office
  • EXCEL.EXE (PID: 7876 cmdline: "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding MD5: F9F7B6C42211B06E7AC3E4B60AA8FB77)
    • splwow64.exe (PID: 8092 cmdline: C:\Windows\splwow64.exe 12288 MD5: AF4A7EBF6114EE9E6FBCC910EC3C96E6)
    • Microsoft.Mashup.Container.Loader.exe (PID: 5460 cmdline: "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe" 4952 4948 a738d581-1d95-47a3-92f5-20e82ae1fd74 1 --logfile "C:\Users\user\AppData\Local\Temp\PowerQuery\ContainerLogs\4b71cf6f-af5c-40b5-bfe1-0e819cf10753.log" --targetframework ".NETFramework,Version=v4.5" MD5: 15656CABCB6185467409C73D7A8D337F)
      • conhost.exe (PID: 1656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 9698384842DA735D80D278A427A229AB)
    • powershell.exe (PID: 7796 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command Copy-Item -Path L:\P-S_Test\Data\* -Destination C:\Users\pisek.p\OneDrive - Exter BV\P-S_PlanCheckUp\Data\ -Force MD5: 9D8E30DAF21108092D5980C931876B7E)
      • conhost.exe (PID: 5952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 9698384842DA735D80D278A427A229AB)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Suspicious Microsoft Office Child Process
Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command Copy-Item -Path L:\P-S_Test\Data\* -Destination C:\Users\pisek.p\OneDrive - Exter BV\P-S_PlanCheckUp\Data\ -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command Copy-Item -Path L:\P-S_Test\Data\* -Destination C:\Users\pisek.p\OneDrive - Exter BV\P-S_PlanCheckUp\Data\ -Force, CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE, ParentProcessId: 7876, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command Copy-Item -Path L:\P-S_Test\Data\* -Destination C:\Users\pisek.p\OneDrive - Exter BV\P-S_PlanCheckUp\Data\ -Force, ProcessId: 7796, ProcessName: powershell.exe
Sigma detected: Excel Network Connections
Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 13.107.246.45, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 7876, Protocol: tcp, SourceIp: 192.168.2.24, SourceIsIpv6: false, SourcePort: 49752
Sigma detected: Suspicious Copy From or To System Directory
Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command Copy-Item -Path L:\P-S_Test\Data\* -Destination C:\Users\pisek.p\OneDrive - Exter BV\P-S_PlanCheckUp\Data\ -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command Copy-Item -Path L:\P-S_Test\Data\* -Destination C:\Users\pisek.p\OneDrive - Exter BV\P-S_PlanCheckUp\Data\ -Force, CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE, ParentProcessId: 7876, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command Copy-Item -Path L:\P-S_Test\Data\* -Destination C:\Users\pisek.p\OneDrive - Exter BV\P-S_PlanCheckUp\Data\ -Force, ProcessId: 7796, ProcessName: powershell.exe
Sigma detected: Suspicious Office Outbound Connections
Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.24, DestinationIsIpv6: false, DestinationPort: 49752, EventID: 3, Image: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 7876, Protocol: tcp, SourceIp: 13.107.246.45, SourceIsIpv6: false, SourcePort: 443
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command Copy-Item -Path L:\P-S_Test\Data\* -Destination C:\Users\pisek.p\OneDrive - Exter BV\P-S_PlanCheckUp\Data\ -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command Copy-Item -Path L:\P-S_Test\Data\* -Destination C:\Users\pisek.p\OneDrive - Exter BV\P-S_PlanCheckUp\Data\ -Force, CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE, ParentProcessId: 7876, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command Copy-Item -Path L:\P-S_Test\Data\* -Destination C:\Users\pisek.p\OneDrive - Exter BV\P-S_PlanCheckUp\Data\ -Force, ProcessId: 7796, ProcessName: powershell.exe
Sigma detected: Office Macro File Creation
Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE, ProcessId: 7876, TargetFilename: C:\Users\user\Desktop\~$ProductBOMpq_v4.xlsm

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: https://login.microsoftonline.de/Avira URL Cloud: Label: phishing
Source: https://login.microsoftonline.de/common/oauth2/token0Avira URL Cloud: Label: phishing
Source: https://login.microsoftonline.de/common/oauth2/logoutAvira URL Cloud: Label: phishing
Source: https://login.microsoftonline.de/common/oauth2/authorizeAvira URL Cloud: Label: phishing
Source: https://login.microsoftonline.deAvira URL Cloud: Label: phishing
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEDirectory created: C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files\Microsoft Office\root\vfs\System\MSVCR100.dllJump to behavior
Source: unknownHTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.24:49752 version: TLS 1.2

Software Vulnerabilities

barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe
Source: global trafficDNS query: name: otelrules.svc.static.microsoft
Source: global trafficTCP traffic: 192.168.2.24:49752 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.24:49752 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.24:49752 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.24:49752 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.24:49752 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.24:49752 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.24:49752 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.24:49752 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.24:49752 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.24:49752 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.24:49752 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.24:49752
Source: global trafficTCP traffic: 192.168.2.24:49752 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.24:49752 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.24:49752
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.24:49752
Source: global trafficTCP traffic: 192.168.2.24:49752 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.24:49752 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.24:49752
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.24:49752
Source: global trafficTCP traffic: 192.168.2.24:49752 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.24:49752
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.24:49752
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.24:49752
Source: global trafficTCP traffic: 192.168.2.24:49752 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.24:49752 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.24:49752 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.24:49752
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.24:49752
Source: excel.exeMemory has grown: Private usage: 2MB later: 312MB
Source: Joe Sandbox ViewIP Address: 13.107.246.45 13.107.246.45
Source: Joe Sandbox ViewJA3 fingerprint: 258a5a1e95b8a911872bae9081526644
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /rules/rule170146v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.18129; Pro)Host: otelrules.svc.static.microsoft
Source: global trafficDNS traffic detected: DNS query: otelrules.svc.static.microsoft
Source: Microsoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://analyticsadmin.googleapis.com
Source: Microsoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://analyticsdata.googleapis.com
Source: Microsoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://analyticsreporting.googleapis.com
Source: Microsoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api-dogfood.resources.windows-int.net
Source: Microsoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://hybridproxy.int.powerbi-int.com
Source: Microsoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://hybridproxy.int2.powerbi-int.com
Source: Microsoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://hybridproxy.powerbi.com
Source: Microsoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login-us.microsoftonline.com
Source: Microsoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login-us.microsoftonline.com/
Source: Microsoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.chinacloudapi.cn
Source: Microsoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.chinacloudapi.cn/
Source: Microsoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.chinacloudapi.cn/common/oauth2/authorize
Source: Microsoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.chinacloudapi.cn/common/oauth2/logout
Source: Microsoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.chinacloudapi.cn/common/oauth2/token0
Source: Microsoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com
Source: Microsoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/
Source: Microsoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.de
Source: Microsoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.de/
Source: Microsoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.de/common/oauth2/authorize
Source: Microsoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.de/common/oauth2/logout
Source: Microsoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.de/common/oauth2/token0
Source: Microsoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.us
Source: Microsoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.us/
Source: Microsoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.us/common/oauth2/authorize
Source: Microsoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.us/common/oauth2/logout
Source: Microsoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.us/common/oauth2/token0
Source: Microsoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.partner.microsoftonline.cn
Source: Microsoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.partner.microsoftonline.cn/
Source: Microsoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.windows-ppe.net
Source: Microsoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.windows-ppe.net/
Source: Microsoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: Microsoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.windows-ppe.net/common/oauth2/logout0
Source: Microsoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.windows-ppe.net/common/oauth2/token
Source: Microsoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net
Source: Microsoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/
Source: Microsoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: Microsoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/logout
Source: Microsoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/token0
Source: Microsoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://management.azure.com
Source: Microsoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://management.core.windows.net/
Source: Microsoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://marketing-infra.dynamics.com/
Source: Microsoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/analytics.readonly
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
Source: unknownHTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.24:49752 version: TLS 1.2
Source: C:\Windows\splwow64.exeProcess Stats: CPU usage > 49%
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeCode function: 12_2_00007FFCCDF76BB012_2_00007FFCCDF76BB0
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeCode function: 12_2_00007FFCCDF74A2E12_2_00007FFCCDF74A2E
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeCode function: 12_2_00007FFCCE4430B912_2_00007FFCCE4430B9
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeCode function: 12_2_00007FFCCE444EE912_2_00007FFCCE444EE9
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeCode function: 12_2_00007FFCCE433D0D12_2_00007FFCCE433D0D
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeCode function: 12_2_00007FFCCE43360012_2_00007FFCCE433600
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeCode function: 12_2_00007FFCCE430A2A12_2_00007FFCCE430A2A
Source: classification engineClassification label: mal56.expl.winXLSM@10/5@1/1
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\Desktop\~$ProductBOMpq_v4.xlsmJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1656:120:WilError_03
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{A1AD7261-012E-4BE9-8683-5C20068A2C4C} - OProcSessId.datJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
Source: unknownProcess created: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe" 4952 4948 a738d581-1d95-47a3-92f5-20e82ae1fd74 1 --logfile "C:\Users\user\AppData\Local\Temp\PowerQuery\ContainerLogs\4b71cf6f-af5c-40b5-bfe1-0e819cf10753.log" --targetframework ".NETFramework,Version=v4.5"
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command Copy-Item -Path L:\P-S_Test\Data\* -Destination C:\Users\pisek.p\OneDrive - Exter BV\P-S_PlanCheckUp\Data\ -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe" 4952 4948 a738d581-1d95-47a3-92f5-20e82ae1fd74 1 --logfile "C:\Users\user\AppData\Local\Temp\PowerQuery\ContainerLogs\4b71cf6f-af5c-40b5-bfe1-0e819cf10753.log" --targetframework ".NETFramework,Version=v4.5"Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command Copy-Item -Path L:\P-S_Test\Data\* -Destination C:\Users\pisek.p\OneDrive - Exter BV\P-S_PlanCheckUp\Data\ -ForceJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeSection loaded: apphelp.dll
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeSection loaded: c2r64.dll
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeSection loaded: vcruntime140_1.dll
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeSection loaded: vcruntime140.dll
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeSection loaded: msvcp140.dll
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeSection loaded: msvcp140.dll
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeSection loaded: mscoree.dll
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeSection loaded: vcruntime140_1.dll
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeSection loaded: vcruntime140.dll
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeSection loaded: vcruntime140.dll
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeSection loaded: kernel.appcore.dll
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeSection loaded: vcruntime140_1_clr0400.dll
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeSection loaded: uxtheme.dll
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeSection loaded: cryptsp.dll
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeSection loaded: rsaenh.dll
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeSection loaded: cryptbase.dll
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeSection loaded: version.dll
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeSection loaded: windows.storage.dll
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeSection loaded: wintypes.dll
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeSection loaded: profapi.dll
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeSection loaded: urlmon.dll
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeSection loaded: iertutil.dll
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeSection loaded: srvcli.dll
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeSection loaded: netutils.dll
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeSection loaded: srvcli.dll
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeSection loaded: netutils.dll
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeSection loaded: sspicli.dll
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeSection loaded: propsys.dll
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeSection loaded: virtdisk.dll
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeSection loaded: odbc32.dll
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeSection loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_1_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appidapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\CLSID\{BE619240-2E03-45AD-8A6A-97CF55210619}\InprocServer32Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEAutomated click: OK
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEAutomated click: OK
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEAutomated click: OK
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEDirectory created: C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files\Microsoft Office\root\vfs\System\MSVCR100.dllJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeCode function: 12_2_00007FFCCE441F59 push ebx; ret 12_2_00007FFCCE441F5A
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeCode function: 12_2_00007FFCCE4319AB push esi; ret 12_2_00007FFCCE4319C7
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeCode function: 12_2_00007FFCCE4319FE push ds; ret 12_2_00007FFCCE4319FF
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeThread delayed: delay time: 922337203685477
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\splwow64.exeWindow / User API: threadDelayed 4404Jump to behavior
Source: C:\Windows\splwow64.exeWindow / User API: threadDelayed 5488Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeWindow / User API: threadDelayed 4988
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeWindow / User API: threadDelayed 4268
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3465
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5648
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe TID: 2344Thread sleep count: 41 > 30
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe TID: 2344Thread sleep time: -37815825351104557s >= -30000s
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe TID: 1876Thread sleep count: 4988 > 30
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe TID: 1876Thread sleep count: 4268 > 30
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe TID: 2348Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe TID: 2348Thread sleep count: 67 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6456Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6412Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeLast function: Thread delayed
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeThread delayed: delay time: 922337203685477
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess token adjusted: DebugJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeQueries volume information: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe VolumeInformation
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeQueries volume information: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.MashupEngine.dll VolumeInformation
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeQueries volume information: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Shims.dll VolumeInformation
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeQueries volume information: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.EventSource.dll VolumeInformation
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeQueries volume information: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Document.dll VolumeInformation
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeQueries volume information: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Packaging.dll VolumeInformation
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeQueries volume information: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Models.dll VolumeInformation
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeQueries volume information: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Practices.Unity.dll VolumeInformation
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeQueries volume information: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OAuth.dll VolumeInformation
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeQueries volume information: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.MashupEngine.Library45.dll VolumeInformation
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeQueries volume information: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dll VolumeInformation
Source: C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0011~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0011~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0011~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0011~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformation
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts13
Exploitation for Client Execution		1
DLL Side-Loading		1
Process Injection		3
Masquerading		OS Credential Dumping1
Process Discovery		Remote Services1
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		21
Virtualization/Sandbox Evasion		LSASS Memory21
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
Extra Window Memory Injection		1
Process Injection		Security Account Manager1
Application Window Discovery		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDS1
File and Directory Discovery		Distributed Component Object ModelInput Capture3
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets13
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Extra Window Memory Injection		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1590598 Sample: ProductBOMpq_v4.xlsm Startdate: 14/01/2025 Architecture: WINDOWS Score: 56 21 shed.dual-low.s-part-0017.t-0009.t-msedge.net 2->21 23 s-part-0017.t-0009.t-msedge.net 2->23 25 otelrules.svc.static.microsoft 2->25 29 Antivirus detection for URL or domain 2->29 31 Document exploit detected (process start blacklist hit) 2->31 33 Sigma detected: Suspicious Microsoft Office Child Process 2->33 8 EXCEL.EXE 514 141 2->8         started        signatures3 process4 dnsIp5 27 s-part-0017.t-0009.t-msedge.net 13.107.246.45, 443, 49752 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 8->27 11 Microsoft.Mashup.Container.Loader.exe 8->11         started        13 powershell.exe 8->13         started        15 splwow64.exe 8->15         started        process6 process7 17 conhost.exe 11->17         started        19 conhost.exe 13->19         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://api-dogfood.resources.windows-int.net0%Avira URL Cloudsafe
https://marketing-infra.dynamics.com/0%Avira URL Cloudsafe
https://login.microsoftonline.de/100%Avira URL Cloudphishing
https://hybridproxy.powerbi.com0%Avira URL Cloudsafe
https://login.microsoftonline.de/common/oauth2/token0100%Avira URL Cloudphishing
https://login.microsoftonline.de/common/oauth2/logout100%Avira URL Cloudphishing
https://hybridproxy.int2.powerbi-int.com0%Avira URL Cloudsafe
https://login.microsoftonline.de/common/oauth2/authorize100%Avira URL Cloudphishing
https://hybridproxy.int.powerbi-int.com0%Avira URL Cloudsafe
https://login.microsoftonline.de100%Avira URL Cloudphishing

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
s-part-0017.t-0009.t-msedge.net
13.107.246.45
truefalse
    		high
    otelrules.svc.static.microsoft
    		unknown
    		unknownfalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      https://otelrules.svc.static.microsoft/rules/rule170146v0s19.xmlfalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://management.azure.comMicrosoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          https://login.microsoftonline.com/Microsoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://login.windows.netMicrosoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://hybridproxy.int2.powerbi-int.comMicrosoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://hybridproxy.int.powerbi-int.comMicrosoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://login.microsoftonline.de/common/oauth2/token0Microsoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: phishing
              		unknown
              https://login.windows-ppe.net/common/oauth2/authorizeMicrosoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://login.microsoftonline.de/common/oauth2/authorizeMicrosoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: phishing
                		unknown
                https://login.chinacloudapi.cn/common/oauth2/logoutMicrosoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://login-us.microsoftonline.com/Microsoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://api-dogfood.resources.windows-int.netMicrosoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://login.chinacloudapi.cnMicrosoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://login-us.microsoftonline.comMicrosoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://login.windows.net/common/oauth2/token0Microsoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://login.windows-ppe.netMicrosoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://login.microsoftonline.us/common/oauth2/logoutMicrosoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://login.chinacloudapi.cn/common/oauth2/token0Microsoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://login.windows-ppe.net/common/oauth2/logout0Microsoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://login.microsoftonline.usMicrosoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://login.windows.net/Microsoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://login.microsoftonline.comMicrosoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://login.microsoftonline.de/Microsoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: phishing
                                        		unknown
                                        https://login.microsoftonline.us/common/oauth2/token0Microsoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://login.windows-ppe.net/common/oauth2/tokenMicrosoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://login.windows.net/common/oauth2/logoutMicrosoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://marketing-infra.dynamics.com/Microsoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://login.partner.microsoftonline.cn/Microsoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://login.microsoftonline.de/common/oauth2/logoutMicrosoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: phishing
                                                		unknown
                                                https://login.windows.net/common/oauth2/authorizeMicrosoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://login.microsoftonline.us/Microsoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://hybridproxy.powerbi.comMicrosoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://login.chinacloudapi.cn/common/oauth2/authorizeMicrosoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://login.chinacloudapi.cn/Microsoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://login.microsoftonline.deMicrosoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: phishing
                                                        		unknown
                                                        https://login.microsoftonline.us/common/oauth2/authorizeMicrosoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://login.windows-ppe.net/Microsoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://login.partner.microsoftonline.cnMicrosoft.Mashup.Container.Loader.exe, 0000000C.00000002.17179529281.000001FF0035E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high

                                                              World Map of Contacted IPs

                                                              • No. of IPs < 25%
                                                              • 25% < No. of IPs < 50%
                                                              • 50% < No. of IPs < 75%
                                                              • 75% < No. of IPs

                                                              Public IPs

                                                              IPDomainCountryFlagASNASN NameMalicious
                                                              13.107.246.45
                                                              		s-part-0017.t-0009.t-msedge.netUnited States
                                                              		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

                                                              General Information

                                                              Joe Sandbox version:42.0.0 Malachite
                                                              Analysis ID:1590598
                                                              Start date and time:2025-01-14 10:51:43 +01:00
                                                              Joe Sandbox product:CloudBasic
                                                              Overall analysis duration:0h 13m 14s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:full
                                                              Cookbook file name:defaultwindowsofficecookbook.jbs
                                                              Analysis system description:Windows 11 23H2 with Office Professional Plus 2021, Chrome 131, Firefox 133, Adobe Reader DC 24, Java 8 Update 431, 7zip 24.09
                                                              Run name:Potential for more IOCs and behavior
                                                              Number of analysed new started processes analysed:16
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:0
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Sample name:ProductBOMpq_v4.xlsm
                                                              Detection:MAL
                                                              Classification:mal56.expl.winXLSM@10/5@1/1
                                                              EGA Information:Failed
                                                              HCA Information:Failed
                                                              Cookbook Comments:
                                                              • Found application associated with file extension: .xlsm
                                                              • Found Word or Excel or PowerPoint or XPS Viewer
                                                              • Attach to Office via COM
                                                              • Active Button Object
                                                              • Active Button Object
                                                              • Active Button Object
                                                              • Active Button Object
                                                              • Active Button Object
                                                              • Active Button Object
                                                              • Active Button Object
                                                              • Active Button Object
                                                              • Active Button Object
                                                              • Active Button Object
                                                              • Active Button Object
                                                              • Active Button Object
                                                              • Active Button Object
                                                              • Active Button Object
                                                              • Active Button Object
                                                              • Active Button Object
                                                              • Active Button Object
                                                              • Active Button Object
                                                              • Active Button Object
                                                              • Active Button Object
                                                              • Active Button Object
                                                              • Active Button Object
                                                              • Active Button Object
                                                              • Active Button Object
                                                              • Active Button Object
                                                              • Active Button Object
                                                              • Active Button Object
                                                              • Active Button Object

                                                              Warnings

                                                              • Max analysis timeout: 600s exceeded, the analysis took too long
                                                              • Exclude process from analysis (whitelisted): dllhost.exe, sppsvc.exe, SIHClient.exe, appidcertstorecheck.exe, conhost.exe, svchost.exe
                                                              • Excluded IPs from analysis (whitelisted): 52.109.32.97, 95.100.110.77, 95.100.110.74, 52.109.28.47, 52.113.194.132, 52.109.76.144, 20.189.173.17, 2.23.246.101, 2.23.240.50, 52.182.143.210, 2.23.242.162, 40.126.31.73, 4.245.163.56
                                                              • Excluded domains from analysis (whitelisted): e40491.dscg.akamaiedge.Net, e1324.dscd.akamaiedge.net, odc.officeapps.live.com, slscr.update.microsoft.com, onedscolprdwus22.westus.cloudapp.azure.com, e13678.dscb.akamaiedge.net, oneocsp.microsoft.com, mobile.events.data.microsoft.com, www.microsoft.com-c-3.edgekey.net, ocsp.digicert.com, login.live.com, officeclient.microsoft.com, ukw-azsc-config.officeapps.live.com, onedscolprdcus10.centralus.cloudapp.azure.com, osiprod-neu-bronze-azsc-000.northeurope.cloudapp.azure.com, ecs.office.com, fs.microsoft.com, uci.cdn.office.net, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, x1.c.lencr.org, uks-azsc-000.roaming.officeapps.live.com, res-prod.trafficmanager.net, owamail.public.cdn.office.net.edgekey.net, s-0005.s-msedge.net, owamail.public.cdn.office.net.edgekey.net.globalredir.akadns.net, ecs.office.trafficmanager.net, europe.configsvc1.live.com.akadns.net, mobile.events.data.trafficmanager.net, neu-azsc-000.odc.officeapps.live.com, europe.odcsm1.
                                                              • Execution Graph export aborted for target Microsoft.Mashup.Container.Loader.exe, PID 5460 because it is empty
                                                              • Not all processes where analyzed, report is missing behavior information
                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                              • Report size getting too big, too many NtCreateFile calls found.
                                                              • Report size getting too big, too many NtCreateKey calls found.
                                                              • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                              • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                              • Report size getting too big, too many NtSetValueKey calls found.

                                                              Simulations

                                                              Behavior and APIs

                                                              TimeTypeDescription
                                                              04:52:39API Interceptor30323850x Sleep call for process: splwow64.exe modified
                                                              04:53:53API Interceptor6x Sleep call for process: powershell.exe modified

                                                              Joe Sandbox View / Context

                                                              IPs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              13.107.246.45https://pcefan.com/diary/index.php?st-manager=1&path=/click/track&id=4973&type=ranking&url=http://nam.dcv.ms/BxPVLH2cz4Get hashmaliciousHTMLPhisherBrowse
                                                              • nam.dcv.ms/BxPVLH2cz4

                                                              Domains

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              s-part-0017.t-0009.t-msedge.netRFQ____PC25-1301.xlsxGet hashmaliciousUnknownBrowse
                                                              • 13.107.246.45
                                                              Signature Required_ Retail Technology Asia Employee Benefit for eddie.chan@rtasia.com.hk.emlGet hashmaliciousUnknownBrowse
                                                              • 13.107.246.45
                                                              RFQ____PC25-1301.xlsxGet hashmaliciousUnknownBrowse
                                                              • 13.107.246.45
                                                              https://Rtasia-sharepoint.zonivarnoth.ru/ITb4aThU/#Deddie.chan@rtasia.com.hkGet hashmaliciousUnknownBrowse
                                                              • 13.107.246.45
                                                              RFQ____PC25-1301.xlsxGet hashmaliciousUnknownBrowse
                                                              • 13.107.246.45
                                                              RFQ____PC25-1301.xlsxGet hashmaliciousUnknownBrowse
                                                              • 13.107.246.45
                                                              yTRd6nkLWV.exeGet hashmaliciousLummaCBrowse
                                                              • 13.107.246.45
                                                              009.vbeGet hashmaliciousAgentTeslaBrowse
                                                              • 13.107.246.45
                                                              http://bebizicon.com/Campususa/index.xml#?email=b2xpdmllci5kb3phdEBpbm5vY2FwLmNvbQ==Get hashmaliciousEvilProxy, HTMLPhisherBrowse
                                                              • 13.107.246.45

                                                              ASNs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              MICROSOFT-CORP-MSN-AS-BLOCKUSScanned-IMGS_from NomanGroup IDT.scr.exeGet hashmaliciousFormBookBrowse
                                                              • 20.244.96.65
                                                              RFQ____PC25-1301.xlsxGet hashmaliciousUnknownBrowse
                                                              • 13.107.246.45
                                                              possible SPAM## Msig Insurance Europe Complete via-Sign Monday January 2025.msgGet hashmaliciousUnknownBrowse
                                                              • 20.44.10.123
                                                              phishing.emlGet hashmaliciousPhisherBrowse
                                                              • 51.116.246.104
                                                              https://iyztciuamr.cfolks.pl/ppGet hashmaliciousUnknownBrowse
                                                              • 13.107.246.60
                                                              http://ww1.tryd.proGet hashmaliciousUnknownBrowse
                                                              • 13.107.21.237
                                                              https://xC.gnoqwwhpwe.ru/3aeK/#Atest@test.comGet hashmaliciousUnknownBrowse
                                                              • 20.190.160.22
                                                              https://gthlcanada.comGet hashmaliciousUnknownBrowse
                                                              • 137.117.65.222
                                                              B317.xlsxGet hashmaliciousUnknownBrowse
                                                              • 13.107.246.45
                                                              https://timecusa-my.sharepoint.com/:f:/p/stephensw/Erq5TMDIJBVBvh6vbWmpurEB4UwHKTW8nzSkPE2Ckmvugg?e=SepTcTGet hashmaliciousHTMLPhisherBrowse
                                                              • 40.126.32.138

                                                              JA3 Fingerprints

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              258a5a1e95b8a911872bae9081526644RFQ____PC25-1301.xlsxGet hashmaliciousUnknownBrowse
                                                              • 13.107.246.45
                                                              B317.xlsxGet hashmaliciousUnknownBrowse
                                                              • 13.107.246.45
                                                              YYYY-NNN AUDIT DETAIL REPORT .docxGet hashmaliciousUnknownBrowse
                                                              • 13.107.246.45
                                                              CY SEC AUDIT PLAN 2025.docx.docGet hashmaliciousUnknownBrowse
                                                              • 13.107.246.45
                                                              H565rymIuO.docGet hashmaliciousUnknownBrowse
                                                              • 13.107.246.45
                                                              Sample_Order_000000991.xlsGet hashmaliciousUnknownBrowse
                                                              • 13.107.246.45
                                                              Payment_swift_copy.xlsGet hashmaliciousUnknownBrowse
                                                              • 13.107.246.45

                                                              Dropped Files

                                                              No context

                                                              Created / dropped Files

                                                              C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml

                                                              Download File
                                                              Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):118
                                                              Entropy (8bit):3.5700810731231707
                                                              Encrypted:false
                                                              SSDEEP:3:QaklTlAlXMLLmHlIlFLlmIK/5lTn84vlJlhlXlDHlA6l3l6Als:QFulcLk04/5p8GVz6QRq
                                                              MD5:573220372DA4ED487441611079B623CD
                                                              SHA1:8F9D967AC6EF34640F1F0845214FBC6994C0CB80
                                                              SHA-256:BE84B842025E4241BFE0C9F7B8F86A322E4396D893EF87EA1E29C74F47B6A22D
                                                              SHA-512:F19FA3583668C3AF92A9CEF7010BD6ECEC7285F9C8665F2E9528DBA606F105D9AF9B1DB0CF6E7F77EF2E395943DC0D5CB37149E773319078688979E4024F9DD7
                                                              Malicious:false
                                                              Reputation:high, very likely benign file
                                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.H.e.a.r.t.b.e.a.t.C.a.c.h.e./.>.

                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):1112
                                                              Entropy (8bit):5.252528641577358
                                                              Encrypted:false
                                                              SSDEEP:24:3QjgyP9wjGo4KCs7KNLgsoKLN1MRPB9txRBhtTiKyHia0fmU:gcyP9Sn464gJgMR59tXBhtTinHun
                                                              MD5:2D2664396CF704F8B04EB17D8757028E
                                                              SHA1:6515CC0C21FBD23C9DE1320D0BD3315326F0E007
                                                              SHA-256:507CEA8FC822AB38CCF23D7062B160BB54F5193D722455AA4BA048C73281CD73
                                                              SHA-512:39AC2D3467882507D917E7AC2628E77F7DBCCAD07D3054A0E20A897DD25B17B0FF52EAD5282924F24FA185C7BA2BE5C8B47E733A05A27DC4205F899FFE509BC5
                                                              Malicious:false
                                                              Reputation:low
                                                              Preview:@...e.................................2.........................8...................c.O..O.4+m.........System.Numerics.H.....................C...}...>...... .Microsoft.PowerShell.ConsoleHost0...............P!..:..A..............System..4...............s...<.O.h....rv........System.Core.D.................`....A..R............System.Management.Automation<.................&cb.1B.u`.)...........System.Configuration4...............F.I..^.M._. ..}........System.Xml..4...............Y.].s.N.....P........System.Data.<...................g..C.&..3.e.........System.Management...@...............l...52O.Rt...%.........System.DirectoryServicesH.................R....G.&'Hx-.P........Microsoft.PowerShell.Security...L.................G(*.OK.w..h..*......#.Microsoft.Management.Infrastructure.<...............Y.O.;b.D..8IJ...........System.Transactions.P..............."......K......M.......(.Microsoft.PowerShell.Commands.ManagementD...............c\....RG.5..q./........System.Configuration.Ins

                                                              C:\Users\user\AppData\Local\Temp\PowerQuery\ContainerLogs\4b71cf6f-af5c-40b5-bfe1-0e819cf10753.log

                                                              Download File
                                                              Process:C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1145
                                                              Entropy (8bit):4.951383379300696
                                                              Encrypted:false
                                                              SSDEEP:24:o+wKJeUFeUphOKJeroqKJeQ7JKJeFrKJePKJeUmOKJeeUvOKJeDYnmisMGt+:o+qUFeih4r3Q7zfpUm4es4/MGt+
                                                              MD5:8C93C2CCC04BDE51B7AD121C298E5958
                                                              SHA1:CA52B1AF0DC16E9CE1115D746D92DEC117E18A60
                                                              SHA-256:1F16ADE9CC374EF6C4AD242FCC0CF01D0C0F38F6BFBD456534E0E2C71A38E0FB
                                                              SHA-512:E6F778D74D209A76ECA4A69B63E0C95EF99EB0BA46EDBD922098A65821BFC3EE3A6C838891FEBA5D7035A1C85E44FE00111683CCAE689CDCD7FBBA6B77F26400
                                                              Malicious:false
                                                              Reputation:low
                                                              Preview:C:\__w\1\s\private\Product\Mashup\EvaluationContainerLoader\EvaluationContainerLoader.cpp(116): Container starting with arguments: 4952 4948 a738d581-1d95-47a3-92f5-20e82ae1fd74 1 --targetframework .NETFramework,Version=v4.5..C:\__w\1\s\private\Product\Mashup\EvaluationContainerLoader\EvaluationContainerLoader.cpp(59): Enumerating .net runtimes..C:\__w\1\s\private\Product\Mashup\EvaluationContainerLoader\EvaluationContainerLoader.cpp(78): v2.0.50727..C:\__w\1\s\private\Product\Mashup\EvaluationContainerLoader\EvaluationContainerLoader.cpp(78): v4.0.30319..C:\__w\1\s\private\Product\Mashup\EvaluationContainerLoader\EvaluationContainerLoader.cpp(82): Found match..C:\__w\1\s\private\Product\Mashup\EvaluationContainerLoader\EvaluationContainerLoader.cpp(149): Loading runtime..C:\__w\1\s\private\Product\Mashup\EvaluationContainerLoader\EvaluationContainerLoader.cpp(163): Starting runtime..C:\__w\1\s\private\Product\Mashup\EvaluationContainerLoader\EvaluationContainerLoader.cpp(178): Executi

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fbxate1y.bin.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zzqlmw5e.rab.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              Static File Info

                                                              General

                                                              File type:Microsoft Excel 2007+
                                                              Entropy (8bit):7.976350486837494
                                                              TrID:
                                                              • Excel Microsoft Office Open XML Format document with Macro (52504/1) 54.97%
                                                              • Excel Microsoft Office Open XML Format document (35004/1) 36.65%
                                                              • ZIP compressed archive (8000/1) 8.38%
                                                              File name:ProductBOMpq_v4.xlsm
                                                              File size:588'253 bytes
                                                              MD5:588e6d97831f43a943ee268f00f99006
                                                              SHA1:d637a7ffeed63ab16c2ba3b88c9dd66ae8b47e48
                                                              SHA256:e833398f914087d210f8052de75b34b50f1223e4db18ac0702e8365406250f2b
                                                              SHA512:e58b33194405f8c6436e7ed87f9aa452534cb346a148a5d032f2c7cd3a5c1721d79f942818b1309ebab59924ae06ebf0fbaf3b9b46036c58f73f9c7275700cc0
                                                              SSDEEP:12288:aLB03Vn/mbs9M9wuseBXHyCnvtSuo+YHVYqbhGGr7euKNAVX:sin/mo69VsRCvMiyVvbAGObWX
                                                              TLSH:87C412099A59BE0CD25AE13CD42C12E0624DF366E822C41F7484F5AF5FC1A9BCB9E71D
                                                              File Content Preview:PK..........!.$..t\....#......[Content_Types].xml ...(.........................................................................................................................................................................................................

                                                              File Icon

                                                              Icon Hash:1d356664a4a09519

                                                              Network Behavior

                                                              Network Port Distribution

                                                              TCP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Jan 14, 2025 10:53:45.416661024 CET49752443192.168.2.2413.107.246.45
                                                              Jan 14, 2025 10:53:45.416708946 CET4434975213.107.246.45192.168.2.24
                                                              Jan 14, 2025 10:53:45.416783094 CET49752443192.168.2.2413.107.246.45
                                                              Jan 14, 2025 10:53:45.417078018 CET49752443192.168.2.2413.107.246.45
                                                              Jan 14, 2025 10:53:45.417093992 CET4434975213.107.246.45192.168.2.24
                                                              Jan 14, 2025 10:53:46.059001923 CET4434975213.107.246.45192.168.2.24
                                                              Jan 14, 2025 10:53:46.059140921 CET49752443192.168.2.2413.107.246.45
                                                              Jan 14, 2025 10:53:46.082041979 CET49752443192.168.2.2413.107.246.45
                                                              Jan 14, 2025 10:53:46.082122087 CET4434975213.107.246.45192.168.2.24
                                                              Jan 14, 2025 10:53:46.082521915 CET4434975213.107.246.45192.168.2.24
                                                              Jan 14, 2025 10:53:46.092428923 CET49752443192.168.2.2413.107.246.45
                                                              Jan 14, 2025 10:53:46.135340929 CET4434975213.107.246.45192.168.2.24
                                                              Jan 14, 2025 10:53:46.187932968 CET4434975213.107.246.45192.168.2.24
                                                              Jan 14, 2025 10:53:46.188013077 CET4434975213.107.246.45192.168.2.24
                                                              Jan 14, 2025 10:53:46.188169003 CET49752443192.168.2.2413.107.246.45
                                                              Jan 14, 2025 10:53:46.188332081 CET49752443192.168.2.2413.107.246.45
                                                              Jan 14, 2025 10:53:46.188332081 CET49752443192.168.2.2413.107.246.45
                                                              Jan 14, 2025 10:53:46.188375950 CET4434975213.107.246.45192.168.2.24
                                                              Jan 14, 2025 10:53:46.188402891 CET4434975213.107.246.45192.168.2.24

                                                              UDP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Jan 14, 2025 10:53:45.408102036 CET4996153192.168.2.241.1.1.1

                                                              DNS Queries

                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                              Jan 14, 2025 10:53:45.408102036 CET192.168.2.241.1.1.10x57f0Standard query (0)otelrules.svc.static.microsoftA (IP address)IN (0x0001)false

                                                              DNS Answers

                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                              Jan 14, 2025 10:53:45.415903091 CET1.1.1.1192.168.2.240x57f0No error (0)otelrules.svc.static.microsoftotelrules.azureedge.netCNAME (Canonical name)IN (0x0001)false
                                                              Jan 14, 2025 10:53:45.415903091 CET1.1.1.1192.168.2.240x57f0No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                              Jan 14, 2025 10:53:45.415903091 CET1.1.1.1192.168.2.240x57f0No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false

                                                              HTTP Request Dependency Graph

                                                              • otelrules.svc.static.microsoft

                                                              HTTPS Proxied Packets

                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              0192.168.2.244975213.107.246.454437876C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                                                              TimestampBytes transferredDirectionData
                                                              2025-01-14 09:53:46 UTC214OUTGET /rules/rule170146v0s19.xml HTTP/1.1
                                                              Connection: Keep-Alive
                                                              Accept-Encoding: gzip
                                                              User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.18129; Pro)
                                                              Host: otelrules.svc.static.microsoft
                                                              2025-01-14 09:53:46 UTC470INHTTP/1.1 200 OK
                                                              Date: Tue, 14 Jan 2025 09:53:46 GMT
                                                              Content-Type: text/xml
                                                              Content-Length: 461
                                                              Connection: close
                                                              Cache-Control: public, max-age=604800, immutable
                                                              Last-Modified: Thu, 14 Nov 2024 16:14:57 GMT
                                                              ETag: "0x8DD04C77BDE7614"
                                                              x-ms-request-id: 72816841-301e-0096-1a3f-66e71d000000
                                                              x-ms-version: 2018-03-28
                                                              x-azure-ref: 20250114T095346Z-156796c549bzzbn9hC1EWR6zf40000001pgg000000003bta
                                                              x-fd-int-roxy-purgeid: 0
                                                              X-Cache: TCP_HIT
                                                              Accept-Ranges: bytes
                                                              2025-01-14 09:53:46 UTC461INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 37 30 31 34 36 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 47 72 61 70 68 69 63 73 2e 45 78 70 6f 72 74 42 75 6c 6c 65 74 42 6c 69 70 43 45 78 63 65 70 74 69 6f 6e 22 20 41 54 54 3d 22 63 66 63 66 64 62 39 31 63 36 38 63 34 33 32 39 62 62 38 62 37 63 62 37 62 61 62 62 33 63 66 37 2d 65 30 38 32 63 32 66 32 2d 65 66 31 64 2d 34 32 37 61 2d 61 63 34 64 2d 62 30 62 37 30 30 61 66 65 37 61 37 2d 37 36 35 35 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 31 22 20 49 64 3d 22 34 38 39 66 34 22 20
                                                              Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="170146" V="0" DC="SM" EN="Office.Graphics.ExportBulletBlipCException" ATT="cfcfdb91c68c4329bb8b7cb7babb3cf7-e082c2f2-ef1d-427a-ac4d-b0b700afe7a7-7655" DCa="PSU" xmlns=""> <S> <UTS T="1" Id="489f4"


                                                              Statistics

                                                              CPU Usage

                                                              Click to jump to process

                                                              Memory Usage

                                                              Click to jump to process

                                                              High Level Behavior Distribution

                                                              Click to dive into process behavior distribution

                                                              Behavior

                                                              Click to jump to process

                                                              System Behavior

                                                              General

                                                              Target ID:0
                                                              Start time:04:52:38
                                                              Start date:14/01/2025
                                                              Path:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
                                                              Imagebase:0x7ff7a90e0000
                                                              File size:70'082'712 bytes
                                                              MD5 hash:F9F7B6C42211B06E7AC3E4B60AA8FB77
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:moderate
                                                              Has exited:false

                                                              General

                                                              Target ID:2
                                                              Start time:04:52:39
                                                              Start date:14/01/2025
                                                              Path:C:\Windows\splwow64.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\splwow64.exe 12288
                                                              Imagebase:0x7ff6b00b0000
                                                              File size:192'512 bytes
                                                              MD5 hash:AF4A7EBF6114EE9E6FBCC910EC3C96E6
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:moderate
                                                              Has exited:false

                                                              General

                                                              Target ID:12
                                                              Start time:04:53:42
                                                              Start date:14/01/2025
                                                              Path:C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe" 4952 4948 a738d581-1d95-47a3-92f5-20e82ae1fd74 1 --logfile "C:\Users\user\AppData\Local\Temp\PowerQuery\ContainerLogs\4b71cf6f-af5c-40b5-bfe1-0e819cf10753.log" --targetframework ".NETFramework,Version=v4.5"
                                                              Imagebase:0x7ff655400000
                                                              File size:67'224 bytes
                                                              MD5 hash:15656CABCB6185467409C73D7A8D337F
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:low
                                                              Has exited:false

                                                              General

                                                              Target ID:13
                                                              Start time:04:53:42
                                                              Start date:14/01/2025
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff6038b0000
                                                              File size:1'040'384 bytes
                                                              MD5 hash:9698384842DA735D80D278A427A229AB
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:moderate
                                                              Has exited:false

                                                              General

                                                              Target ID:14
                                                              Start time:04:53:51
                                                              Start date:14/01/2025
                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command Copy-Item -Path L:\P-S_Test\Data\* -Destination C:\Users\pisek.p\OneDrive - Exter BV\P-S_PlanCheckUp\Data\ -Force
                                                              Imagebase:0x7ff7dbf70000
                                                              File size:450'560 bytes
                                                              MD5 hash:9D8E30DAF21108092D5980C931876B7E
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:low
                                                              Has exited:true

                                                              General

                                                              Target ID:15
                                                              Start time:04:53:51
                                                              Start date:14/01/2025
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff6038b0000
                                                              File size:1'040'384 bytes
                                                              MD5 hash:9698384842DA735D80D278A427A229AB
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:moderate
                                                              Has exited:true

                                                              Disassembly

                                                              Reset < >

                                                                Executed Functions

                                                                Function 00007FFCCE4430B9 Relevance: 1.1, Instructions: 1054COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17298696405.00007FFCCE430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCE430000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffcce430000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: bcd410299147ea118d7eb68e04008837eb4b0766eb33dd736469320d49acf9dc
                                                                • Instruction ID: f50e203d4ce6f9bfeae1580e8a83c59138df525d950571708f31b08db2ee44e4
                                                                • Opcode Fuzzy Hash: bcd410299147ea118d7eb68e04008837eb4b0766eb33dd736469320d49acf9dc
                                                                • Instruction Fuzzy Hash: 0D62C130B0C95E8FEB99DF6CC8956A877E2FF59700B1501BAD00ED7692DE24AC41CB51
                                                                Function 00007FFCCE43AC6F Relevance: 2.8, Strings: 2, Instructions: 285COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17298696405.00007FFCCE430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCE430000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffcce430000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: p6&-$p6&-
                                                                • API String ID: 0-3150903524
                                                                • Opcode ID: c51a9e6d14c6dc5adbe7eac3296b291c175f08f59177becea6d0d0cbcfb51df6
                                                                • Instruction ID: 25b94c5e112eb702a3e8fc570d0a27a3b4e40cd0d24a40139fd5e08f5c7949e8
                                                                • Opcode Fuzzy Hash: c51a9e6d14c6dc5adbe7eac3296b291c175f08f59177becea6d0d0cbcfb51df6
                                                                • Instruction Fuzzy Hash: E5815921D8D9DF0FEB59CBA858261F47BE1EF87212F1819BBC049D71D2ED186806C3A1
                                                                Function 00007FFCCDF76024 Relevance: 1.7, Strings: 1, Instructions: 484COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17286450979.00007FFCCDF70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCDF70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffccdf70000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: H
                                                                • API String ID: 0-2852464175
                                                                • Opcode ID: a6204498507374903462b21ed496e4f6fa43aac51e1a005ec71ea54bf74e6a5f
                                                                • Instruction ID: ecf6e25ac90b5797f1e31a625bd57e24864c96e92c6bb77afbafc2ed1c45e901
                                                                • Opcode Fuzzy Hash: a6204498507374903462b21ed496e4f6fa43aac51e1a005ec71ea54bf74e6a5f
                                                                • Instruction Fuzzy Hash: 3BD12922B0CD9E4FEBD5EB6C88596F973D2FF99310B55017AD05EC3286ED18A842C390
                                                                Function 00007FFCCDF70780 Relevance: 1.6, Strings: 1, Instructions: 362COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17286450979.00007FFCCDF70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCDF70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffccdf70000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: M
                                                                • API String ID: 0-3664761504
                                                                • Opcode ID: 4fb3460ad55cc899b182976147e44215605ea36bba98617a2362868285f49803
                                                                • Instruction ID: 731f86d20ab559afa1200bda549c77b5da727d551758dde214c4013882b6bfdd
                                                                • Opcode Fuzzy Hash: 4fb3460ad55cc899b182976147e44215605ea36bba98617a2362868285f49803
                                                                • Instruction Fuzzy Hash: B5B13431A0C69D4FEB15EF6898556F83BB0FF46310F1500BAD499CB193E9286846C7E0
                                                                Function 00007FFCCE43A298 Relevance: 1.4, Strings: 1, Instructions: 163COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17298696405.00007FFCCE430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCE430000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffcce430000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: ]/_H
                                                                • API String ID: 0-1846968711
                                                                • Opcode ID: d3083d5ee1932f3b836e0f8683d3cc22711f7f3063ca1b48c2bad867a69e31d7
                                                                • Instruction ID: 9d0bd2623eca4ceb2ac0a971c62a9a471d20b7362b500f46700d91a1bf1beb75
                                                                • Opcode Fuzzy Hash: d3083d5ee1932f3b836e0f8683d3cc22711f7f3063ca1b48c2bad867a69e31d7
                                                                • Instruction Fuzzy Hash: DE411622B0CEDA0FF799D66D586A2B437C2DFEA21071912BBD44EC7297EC185C02C395
                                                                Function 00007FFCCDF75A8C Relevance: .6, Instructions: 595COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17286450979.00007FFCCDF70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCDF70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffccdf70000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c43b9eaa699f104c628a558c974b678a6ecebeec71d95e262da0c16ea3d5de1c
                                                                • Instruction ID: 873dd3fa1c5f88003b685abe6501032e16d39db590fad03718c7b77b9a80725c
                                                                • Opcode Fuzzy Hash: c43b9eaa699f104c628a558c974b678a6ecebeec71d95e262da0c16ea3d5de1c
                                                                • Instruction Fuzzy Hash: DF023722A0DAD98FEB56DB6C88552F53BE0FF56310B1510BFD09DCB293ED18A805C3A5
                                                                Function 00007FFCCE439589 Relevance: .6, Instructions: 577COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17298696405.00007FFCCE430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCE430000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffcce430000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: db725ae5bc71c927835a386604384306ad5fdddd814b7f76a5220dfb47d92381
                                                                • Instruction ID: bdd5f93723cb5707650f16815eeb3e73c8ad37de47a73d13b233b958e15b7318
                                                                • Opcode Fuzzy Hash: db725ae5bc71c927835a386604384306ad5fdddd814b7f76a5220dfb47d92381
                                                                • Instruction Fuzzy Hash: 13F1F231B0CACA4FEB5ADB3858651B43BD1EF8A31071915FED08AC7697ED18A803C356
                                                                Function 00007FFCCE443145 Relevance: .5, Instructions: 547COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17298696405.00007FFCCE430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCE430000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffcce430000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: df90a983f0584695f42b8265e84e59dbcd8928ed3138a3f2486de7b6462c997d
                                                                • Instruction ID: 22e1b3b0420f63d542ad5eaecf45e0118d78ccc6764f16c3d6c5b55c88d74be1
                                                                • Opcode Fuzzy Hash: df90a983f0584695f42b8265e84e59dbcd8928ed3138a3f2486de7b6462c997d
                                                                • Instruction Fuzzy Hash: 1D02B331B0CA5E8FEB98DF6C88956A877E2FF59704F0511BAD04DE3692DE24AC41CB41
                                                                Function 00007FFCCE440439 Relevance: .5, Instructions: 530COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17298696405.00007FFCCE430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCE430000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffcce430000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6bf228f98c5688f0425731c8a198c4dd8ca312e72dd96b56fc77fda743d94b6b
                                                                • Instruction ID: 362e953420d6fd26fc3f66d8e6f3c13ae3e4fd49333e7b0fd6c39ce5e28284f7
                                                                • Opcode Fuzzy Hash: 6bf228f98c5688f0425731c8a198c4dd8ca312e72dd96b56fc77fda743d94b6b
                                                                • Instruction Fuzzy Hash: EBF12A3160DEC94FD356DB2888646B57BF0FF5B30072941EBC04ACB5B7DA29A846C7A1
                                                                Function 00007FFCCE434D45 Relevance: .5, Instructions: 489COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17298696405.00007FFCCE430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCE430000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffcce430000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6d0c8349efb2bd4361151a6a6cd175cd23ea01b1566a9bfc2b9c8eadb2225f7f
                                                                • Instruction ID: 50d68c65d800af8a5edfbafefef991a6fb3f4ef9dfbd2ee7855bd142cf3cbe48
                                                                • Opcode Fuzzy Hash: 6d0c8349efb2bd4361151a6a6cd175cd23ea01b1566a9bfc2b9c8eadb2225f7f
                                                                • Instruction Fuzzy Hash: A1E14B31A0CA9A4FE745DF28C8955F9B7E1EF96310F1409BED449C7292DE38E842C791
                                                                Function 00007FFCCDF7A0EA Relevance: .4, Instructions: 391COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17286450979.00007FFCCDF70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCDF70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffccdf70000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 17748d0541588ef0d9463fee69d95fba6782e4791480f3b0eea812d45b241800
                                                                • Instruction ID: 252c2a3dcb465be27e43bdab59965828e3b126e61ce103e1ed46f3ff512c9029
                                                                • Opcode Fuzzy Hash: 17748d0541588ef0d9463fee69d95fba6782e4791480f3b0eea812d45b241800
                                                                • Instruction Fuzzy Hash: FDB12722A0C6EA8FEB42EA3C94A55F537E0FF56324B1510BAC49DCB193FD195442C7A0
                                                                Function 00007FFCCDF72EC9 Relevance: .4, Instructions: 371COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17286450979.00007FFCCDF70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCDF70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffccdf70000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e93d174072ace4c10c0d6e85839bae2b39b7b6451f665614da51469dd7dfba94
                                                                • Instruction ID: 02fc481395fdadbc0952129ecc4814198119e776b9719970256bd9b121782214
                                                                • Opcode Fuzzy Hash: e93d174072ace4c10c0d6e85839bae2b39b7b6451f665614da51469dd7dfba94
                                                                • Instruction Fuzzy Hash: CEB16871F0CBC95FD755CB2848551F93BE0FF8A200F1605BBD4A9C7292EE689846C391
                                                                Function 00007FFCCE43A8C9 Relevance: .3, Instructions: 300COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17298696405.00007FFCCE430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCE430000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffcce430000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3d4eb8e0e453738b198c073339584d9a41cc347fdd7a5d853aad364c996740bf
                                                                • Instruction ID: cd4c274d52c96ffcf9eb6ab3ade443c37850268e3b3952489d5956e8980b7c6b
                                                                • Opcode Fuzzy Hash: 3d4eb8e0e453738b198c073339584d9a41cc347fdd7a5d853aad364c996740bf
                                                                • Instruction Fuzzy Hash: FB910171B0CA9A4FE758DB2C881517977D2EFDD300F145A7EE04ED32D7DE2898028686
                                                                Function 00007FFCCE43A4BB Relevance: .3, Instructions: 265COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17298696405.00007FFCCE430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCE430000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffcce430000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d752a2e6966416c961d589eb50d5d644aab56af625570a1f1a8b9deaf75fba97
                                                                • Instruction ID: 5c37c0d6d5b62cebd9944df04545306fec5222cad46884850c4c949958ac5809
                                                                • Opcode Fuzzy Hash: d752a2e6966416c961d589eb50d5d644aab56af625570a1f1a8b9deaf75fba97
                                                                • Instruction Fuzzy Hash: A3715571A0CB8A4FE748DB2CA85517977D1EFDA320F14167FE48EC3297DD289802C696
                                                                Function 00007FFCCE441279 Relevance: .3, Instructions: 262COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17298696405.00007FFCCE430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCE430000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffcce430000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7ee137ef41bbf0ec810b5118001f790ba3d3ea8f830dbb30d4aff2d974d39cf2
                                                                • Instruction ID: ce4d690cd5f64c13f6c01993774d23e0a46f7af036a4ff862c801f0c9d895078
                                                                • Opcode Fuzzy Hash: 7ee137ef41bbf0ec810b5118001f790ba3d3ea8f830dbb30d4aff2d974d39cf2
                                                                • Instruction Fuzzy Hash: 0C71D372B0DADE8FEB95DB7848251B83BE1EF5B344B0901FAC449DB6A3DE185805C352
                                                                Function 00007FFCCDF75CD0 Relevance: .2, Instructions: 242COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17286450979.00007FFCCDF70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCDF70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffccdf70000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8644bba4d89798acc2e7d96756b7192ec6e897f62599bd89ae5afc42c9ecb5ac
                                                                • Instruction ID: fbece89634b96e334654b15c61ed06d5305536ec2af53be12fe984e8592e1fcb
                                                                • Opcode Fuzzy Hash: 8644bba4d89798acc2e7d96756b7192ec6e897f62599bd89ae5afc42c9ecb5ac
                                                                • Instruction Fuzzy Hash: 0A71F43170CAC98FEB9AEB2898552B537E1FF49310F1501BFD05AC7693EE29A805C791
                                                                Function 00007FFCCDF76F5F Relevance: .2, Instructions: 221COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17286450979.00007FFCCDF70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCDF70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffccdf70000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 10f9021c69b8cc4b081b2e16d4070b2ebb578ca54023499ede1d0cae7b88dca6
                                                                • Instruction ID: 54f1958431c9c68e7ac5f290ef3cf3706fb78bdcb57fa397e9c7bfdf414c3bd7
                                                                • Opcode Fuzzy Hash: 10f9021c69b8cc4b081b2e16d4070b2ebb578ca54023499ede1d0cae7b88dca6
                                                                • Instruction Fuzzy Hash: 8861B030A1868E8FDB85EF6888116F97BA1FF45314F1511BAD01DC7293EF39A842C791
                                                                Function 00007FFCCDF77CAB Relevance: .2, Instructions: 214COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17286450979.00007FFCCDF70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCDF70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffccdf70000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: eaba607dccf48b3690fab55bfe89ff44908bf29ffb17ccfa78b0ce0c9a321e82
                                                                • Instruction ID: 52bef653487f7f0a70b234b1977d7e63b90de211f122cca0329eb94524af8ecb
                                                                • Opcode Fuzzy Hash: eaba607dccf48b3690fab55bfe89ff44908bf29ffb17ccfa78b0ce0c9a321e82
                                                                • Instruction Fuzzy Hash: CB714A31B1899D8FDF84EF98C4A1AAC77E2FF58304F1500A9D41ED7286DA25AC42C790
                                                                Function 00007FFCCDF77C7C Relevance: .2, Instructions: 213COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17286450979.00007FFCCDF70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCDF70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffccdf70000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ddf3db60b5fe4afa8c64e9a3a424d74fd02b20557e0b5fcb1a523cd2b3a2e15c
                                                                • Instruction ID: 181815f41e26e359d752542e96be85757213d48d75c5485119596a0465dc80fb
                                                                • Opcode Fuzzy Hash: ddf3db60b5fe4afa8c64e9a3a424d74fd02b20557e0b5fcb1a523cd2b3a2e15c
                                                                • Instruction Fuzzy Hash: 82615D31B1899D8FDF85EF98C4A1AE877E2FF98304F1500A9D41ED7286DA25AC42C794
                                                                Function 00007FFCCDF7A5AD Relevance: .2, Instructions: 207COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17286450979.00007FFCCDF70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCDF70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffccdf70000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ba320f93fa928e374ccaf9f3362bf5e9e28725c7f88b664543701481f68183f1
                                                                • Instruction ID: 810fe8ba0227bf0476635ea1d17f6cbd265cc02f99c66f102f70ec185fba9ca1
                                                                • Opcode Fuzzy Hash: ba320f93fa928e374ccaf9f3362bf5e9e28725c7f88b664543701481f68183f1
                                                                • Instruction Fuzzy Hash: 5851F631B0C99E8FEB45DB6C98956B833D1FF48310B2210B9D45EC7192ED186C43C7A0
                                                                Function 00007FFCCDF7BFB8 Relevance: .2, Instructions: 192COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17286450979.00007FFCCDF70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCDF70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffccdf70000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 78ececf031cd88630f220379641ec3c4058a2230f7efe424639ebe82c9147ebf
                                                                • Instruction ID: 7a04e8f77c5f1ec5028cb5258157c5e489a28b0cd5e32dc9e12e2d3b93ba425b
                                                                • Opcode Fuzzy Hash: 78ececf031cd88630f220379641ec3c4058a2230f7efe424639ebe82c9147ebf
                                                                • Instruction Fuzzy Hash: F9515A31A08A8C8FE755DF6C88585B57BE0FF59300B5A11FBC449C71A7E9246C42C3A0
                                                                Function 00007FFCCDF76F96 Relevance: .2, Instructions: 190COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17286450979.00007FFCCDF70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCDF70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffccdf70000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c7d3d65e149d41eca9e06afa2ab0fcbca798c45bcb0e9fb064853f7bc2400937
                                                                • Instruction ID: f84126ddb637127713802b4f014fb95c0e86a8839b455ea4fc358d923b99ff3b
                                                                • Opcode Fuzzy Hash: c7d3d65e149d41eca9e06afa2ab0fcbca798c45bcb0e9fb064853f7bc2400937
                                                                • Instruction Fuzzy Hash: 9151E130A1868E8FEB85EF6888116F97BA1FF45310F1500BAE01DC7293EF39A841C791
                                                                Function 00007FFCCE4414A0 Relevance: .2, Instructions: 185COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17298696405.00007FFCCE430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCE430000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffcce430000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b5fa336037147d76d2addcf4cf21b071380873411e3c14b1d1667f2e81e9f1ff
                                                                • Instruction ID: b277e56db39e7d3ade61c57a0225bd2ac0dcfce8a5d9f44126d35b1412b6ff39
                                                                • Opcode Fuzzy Hash: b5fa336037147d76d2addcf4cf21b071380873411e3c14b1d1667f2e81e9f1ff
                                                                • Instruction Fuzzy Hash: 7C517C7270DBDE8FEB95DA6848592B53BE0EF9B300B0401BBC44DCB297D9289806C351
                                                                Function 00007FFCCE43B061 Relevance: .2, Instructions: 172COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17298696405.00007FFCCE430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCE430000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffcce430000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f0f1c6b95203e6f364decf1b8e023240dc2a7e4814b8b5fbb045711000c1ba6f
                                                                • Instruction ID: 804694c2496346dcdb58257a1d83ac69011609b65337d2728de871272e452d36
                                                                • Opcode Fuzzy Hash: f0f1c6b95203e6f364decf1b8e023240dc2a7e4814b8b5fbb045711000c1ba6f
                                                                • Instruction Fuzzy Hash: 8E41D222B0CD9E4FEA94DA2C58697B437D1EFAA30071911B7D40DC72A7DD19AC01C395
                                                                Function 00007FFCCDF759B8 Relevance: .2, Instructions: 160COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17286450979.00007FFCCDF70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCDF70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffccdf70000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9a4de29d17c6f634b2d145d2dd26827911c03dadc2d10999d04febcdbcec709b
                                                                • Instruction ID: cd6368e7a4cff42250e069b539e46799e00147f2ba5b0bd08a5369764f4a16d0
                                                                • Opcode Fuzzy Hash: 9a4de29d17c6f634b2d145d2dd26827911c03dadc2d10999d04febcdbcec709b
                                                                • Instruction Fuzzy Hash: 4641B020B0DA8D4FD795EB6C8868AB53BE1FF9921071501FAD40DC72A7EE18EC80C391
                                                                Function 00007FFCCDF70D1D Relevance: .2, Instructions: 153COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17286450979.00007FFCCDF70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCDF70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffccdf70000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 21119c4cdb1b3bc0dccf3c1729e05d4cd6437a0fbe7278848c1cdd1b040d85f5
                                                                • Instruction ID: b834398d78e9b0fc57906be4861a7a7902ef3183bcf7b71f1f06c72d02311beb
                                                                • Opcode Fuzzy Hash: 21119c4cdb1b3bc0dccf3c1729e05d4cd6437a0fbe7278848c1cdd1b040d85f5
                                                                • Instruction Fuzzy Hash: A3415832B0CA9E4FE7919A6C98452F57BE1FF89310F1602BBD44CC7182ED197C4683A0
                                                                Function 00007FFCCDF79209 Relevance: .1, Instructions: 148COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17286450979.00007FFCCDF70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCDF70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffccdf70000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 393983ce091fbcbc57e1ffc5b08b3777b800b54ad7578cffe6ea2c62e7e57bbf
                                                                • Instruction ID: da00f345864d69aa5eb5fa3f6b87f702e2db2754fa315eb630dcb4df04def461
                                                                • Opcode Fuzzy Hash: 393983ce091fbcbc57e1ffc5b08b3777b800b54ad7578cffe6ea2c62e7e57bbf
                                                                • Instruction Fuzzy Hash: B0411631A8D6D91FD356AB642C168F13BA4EF4222571A01F7D41CCB5A3D90D6983C3B1
                                                                Function 00007FFCCDF7A65F Relevance: .1, Instructions: 147COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17286450979.00007FFCCDF70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCDF70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffccdf70000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8713264cd4cf81030a964fab9c559159827b2211bc3968cd4002ca8fd8baed3d
                                                                • Instruction ID: 85b979a44da27f1527416ae571e089c73a814346e71f31dc6dff75ba49ab58ad
                                                                • Opcode Fuzzy Hash: 8713264cd4cf81030a964fab9c559159827b2211bc3968cd4002ca8fd8baed3d
                                                                • Instruction Fuzzy Hash: F241E331B0C9494FEB85EB6CC4916B833E1FF49315F2610BAD01EC72A2EE29AC42C750
                                                                Function 00007FFCCE439400 Relevance: .1, Instructions: 130COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17298696405.00007FFCCE430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCE430000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffcce430000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: bfc354cc1744b0b0eb1e592fcfeb58004dbae9b441a3586d644b544fb2838707
                                                                • Instruction ID: 975341233923c4376b0484e222c7962d1d1b15778e22703596391e7fc6708460
                                                                • Opcode Fuzzy Hash: bfc354cc1744b0b0eb1e592fcfeb58004dbae9b441a3586d644b544fb2838707
                                                                • Instruction Fuzzy Hash: 7E418B71A08A9E8FDB98DF58C4546A977E1FFA9300F14167AD50EE3285DE34A842CBD0
                                                                Function 00007FFCCDF714F2 Relevance: .1, Instructions: 122COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17286450979.00007FFCCDF70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCDF70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffccdf70000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a459a61f23e0a125303b8fefc9f23492062ebc5aba5e5097ffe807c17e855d9d
                                                                • Instruction ID: 0b51c91a2dab44978dc9670ee29c2a15ebcdb46d98b3db4e49790f8f87c97e3a
                                                                • Opcode Fuzzy Hash: a459a61f23e0a125303b8fefc9f23492062ebc5aba5e5097ffe807c17e855d9d
                                                                • Instruction Fuzzy Hash: C031B3307189498FDB84EF5CC495AB9B3E2FF98300B55157AE04EC72A6DE24E846C741
                                                                Function 00007FFCCDF799F0 Relevance: .1, Instructions: 116COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17286450979.00007FFCCDF70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCDF70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffccdf70000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d4b905de459afa542deae4312420680d0de2d233cd25534cfbfe59ed41a433e0
                                                                • Instruction ID: 7f9faf1fecbe45f6aa0d265bc19a4a7156fcdd7e2f96de0e3f0a57fa1c0cd91c
                                                                • Opcode Fuzzy Hash: d4b905de459afa542deae4312420680d0de2d233cd25534cfbfe59ed41a433e0
                                                                • Instruction Fuzzy Hash: BF21C321B09D5D4FBBD8EE5C9895AB533D1FB9921071501BED41ECB296ED29EC42C380
                                                                Function 00007FFCCDF7141D Relevance: .1, Instructions: 100COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17286450979.00007FFCCDF70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCDF70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffccdf70000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: fc4af0d7819fba54759fa9147275b46ee846590a0808364504b6b79f12707572
                                                                • Instruction ID: b00c9d3b15e20286254637225c843c54363469357970bc219385e690fd019f89
                                                                • Opcode Fuzzy Hash: fc4af0d7819fba54759fa9147275b46ee846590a0808364504b6b79f12707572
                                                                • Instruction Fuzzy Hash: AF31F5B160EBC94FDB4ADB7888656A57FE1EF5B20071A04EFC089CF1A3D9199C09C761
                                                                Function 00007FFCCE439425 Relevance: .1, Instructions: 96COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17298696405.00007FFCCE430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCE430000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffcce430000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: bf23e7304514be62fafb74a5c2c31732d9c51e4223af7c848f991b7b77bf5835
                                                                • Instruction ID: c458a151f376118934cc82466b0c53a11d70282f84a1f670dd567178a92cb1b2
                                                                • Opcode Fuzzy Hash: bf23e7304514be62fafb74a5c2c31732d9c51e4223af7c848f991b7b77bf5835
                                                                • Instruction Fuzzy Hash: 42312931A0CADE8FCB85DF68D8455E9BBF0FF59300B0805EAC409E7296DE24AC06C790
                                                                Function 00007FFCCDF7D125 Relevance: .1, Instructions: 89COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17286450979.00007FFCCDF70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCDF70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffccdf70000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e3757280bc450ac68eb367f0081ff57672fbb231924db32e2ae5a343143b7c4e
                                                                • Instruction ID: 120fbaf17101dc5df91c880058e8bd996b2269efdf63c85bc56f1eb8119ec981
                                                                • Opcode Fuzzy Hash: e3757280bc450ac68eb367f0081ff57672fbb231924db32e2ae5a343143b7c4e
                                                                • Instruction Fuzzy Hash: EF21E73170DA898FE7859B3C88692653AE1FF5A301B5A05EBD049CB1E7DA246805C362
                                                                Function 00007FFCCDF7807C Relevance: .1, Instructions: 82COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17286450979.00007FFCCDF70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCDF70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffccdf70000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 125093d3538e2fae7d0e58e1d3499d467ee5bb6d7c7f7fec9e921e6485ed2962
                                                                • Instruction ID: f8fd155dde9f4141de875bbe976ea318dd6782e340d30d08063de7fbbc6e3853
                                                                • Opcode Fuzzy Hash: 125093d3538e2fae7d0e58e1d3499d467ee5bb6d7c7f7fec9e921e6485ed2962
                                                                • Instruction Fuzzy Hash: 38212561B0C9DC5FFB96C7B89C5A2E9BBD1FF09314F4A10ACD059C71C2EA581801C346
                                                                Function 00007FFCCDF71FBA Relevance: .1, Instructions: 76COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17286450979.00007FFCCDF70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCDF70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffccdf70000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 157c76ae9eb56abda1c2a3f51d608c2fecaf63553611f016d2b39dda3fa51928
                                                                • Instruction ID: e37d466e7a04c7e358f6910c29dd6950bbce757eead0ab01daa5e975b5523f5f
                                                                • Opcode Fuzzy Hash: 157c76ae9eb56abda1c2a3f51d608c2fecaf63553611f016d2b39dda3fa51928
                                                                • Instruction Fuzzy Hash: 5D11E721B0CADD4FE7596AA864122FCB7A1EF86300F5400BFD459C72C7EE196806C391
                                                                Function 00007FFCCDF7932E Relevance: .1, Instructions: 73COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17286450979.00007FFCCDF70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCDF70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffccdf70000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5ff980b1fabfec6ab0ec9ef2b85669a47aec7bec7e66977de417ee1e27a2a5cc
                                                                • Instruction ID: 9f2d2c1993ae763c86171e574c61536eee461112dc51cacd89020c9ed77ec799
                                                                • Opcode Fuzzy Hash: 5ff980b1fabfec6ab0ec9ef2b85669a47aec7bec7e66977de417ee1e27a2a5cc
                                                                • Instruction Fuzzy Hash: D411422160DAC84FDB96DB7898699A47BF0FF5630030901DBD089CB1A7DA18E844C791
                                                                Function 00007FFCCDF705B0 Relevance: .1, Instructions: 72COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17286450979.00007FFCCDF70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCDF70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffccdf70000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: bfc273d4d1ca3218e29dba357bbeea1e6a84dde470cdbe5a893451016fa17fa5
                                                                • Instruction ID: e9b2881d59dba38f23ef58fb7e72af77d480499a4653932b85fb7b7d1a08e2a4
                                                                • Opcode Fuzzy Hash: bfc273d4d1ca3218e29dba357bbeea1e6a84dde470cdbe5a893451016fa17fa5
                                                                • Instruction Fuzzy Hash: 66112532908DDE4FDB95EB2888189B977A0FF6530070951ABE05EC75A2FE14AC49C791
                                                                Function 00007FFCCDF70BB8 Relevance: .1, Instructions: 69COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17286450979.00007FFCCDF70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCDF70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffccdf70000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 82c57f497f1735b2ed477ef6a5ffb384c3196fda5296c0fa83163af4413f62c4
                                                                • Instruction ID: 6dd5b382026df0bc4fd995bb08b30f36b8a7c6248fa32ff43b60f201ca42021b
                                                                • Opcode Fuzzy Hash: 82c57f497f1735b2ed477ef6a5ffb384c3196fda5296c0fa83163af4413f62c4
                                                                • Instruction Fuzzy Hash: 2E119121B0885D4F9B94EF6C84045FEB7B1FF98320B110276D01DE3281EE28AA1287E1
                                                                Function 00007FFCCE4372C1 Relevance: .1, Instructions: 67COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17298696405.00007FFCCE430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCE430000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffcce430000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 23aa93d9469968e407895ed1034303d6789c4dfe0a77280a5ab8fc738a005328
                                                                • Instruction ID: d569a498686dedaa6c07c799f024e8deb4debb0afd07b46d22bff6b1b0779ebb
                                                                • Opcode Fuzzy Hash: 23aa93d9469968e407895ed1034303d6789c4dfe0a77280a5ab8fc738a005328
                                                                • Instruction Fuzzy Hash: 1911296190E7C91FD303DB789C655B63F94DE5721075A41FBE488C71A3DD1C8456C3A2
                                                                Function 00007FFCCDF76BD0 Relevance: .1, Instructions: 63COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17286450979.00007FFCCDF70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCDF70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffccdf70000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f6e31e8eebad5b3bc2bde45b18bc50516a42ec91b05d96e8718bbc883f92045e
                                                                • Instruction ID: 6ec9184de1660bd7302422c323cdef045d5db953b943bf3a85fde908834aba5f
                                                                • Opcode Fuzzy Hash: f6e31e8eebad5b3bc2bde45b18bc50516a42ec91b05d96e8718bbc883f92045e
                                                                • Instruction Fuzzy Hash: 67116A30A08A5E8BDBA8EF6884455F9B3B1FF59300B520579E02AD3291DB26B881C791
                                                                Function 00007FFCCDF71381 Relevance: .1, Instructions: 58COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17286450979.00007FFCCDF70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCDF70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffccdf70000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c4953900cd24af5d2c9dd4752f3d374339fe399fa943b8af93713580e9bcfcac
                                                                • Instruction ID: 90d5126106f54d663292c6ddd1b9bc54ad729152ec3be640fa2e48dfbec96f5a
                                                                • Opcode Fuzzy Hash: c4953900cd24af5d2c9dd4752f3d374339fe399fa943b8af93713580e9bcfcac
                                                                • Instruction Fuzzy Hash: 9A01DF7044E6D85FD703DB7088199A6BFB0EE1320470E51DFD08ACF4B3D618A909C762
                                                                Function 00007FFCCE432F08 Relevance: .1, Instructions: 56COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17298696405.00007FFCCE430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCE430000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffcce430000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e3d21400bde5d37671e309d1a6a2cd689aec99f8c6b4b34dacd6391883f60c07
                                                                • Instruction ID: c2630d7c555d7d714d1bc8658f3fc393148eda8da2c7b172be871a2585875111
                                                                • Opcode Fuzzy Hash: e3d21400bde5d37671e309d1a6a2cd689aec99f8c6b4b34dacd6391883f60c07
                                                                • Instruction Fuzzy Hash: E501242290DACD1FD312AF785C595B63FD4DE57220B2901BBE488C71A3DD1C8445C3A1
                                                                Function 00007FFCCE43B1C2 Relevance: .1, Instructions: 55COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17298696405.00007FFCCE430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCE430000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffcce430000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 72de34dd9e5d2458b6c596bea56b4741b0d0fb2cb7b0cb82af2220a632484acb
                                                                • Instruction ID: f810ec112e4986ba3bd547492cde8217e11bf3fea1e764ddfde6942fb1fbf91e
                                                                • Opcode Fuzzy Hash: 72de34dd9e5d2458b6c596bea56b4741b0d0fb2cb7b0cb82af2220a632484acb
                                                                • Instruction Fuzzy Hash: 3701B521A0DBCD4FDB469B3C48252643BE1EF8B29071905EBD449DF1A3D918AC058361
                                                                Function 00007FFCCDF7A318 Relevance: .1, Instructions: 54COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17286450979.00007FFCCDF70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCDF70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffccdf70000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 679d20a5462da1d19d3e6db6b683b1f59ea47837e09c5e6be626175a20c88b7f
                                                                • Instruction ID: 4b27dec30d63086cbe0fc9a1fed286ef41fcd71439bd12bf0f76d27d239f8f6d
                                                                • Opcode Fuzzy Hash: 679d20a5462da1d19d3e6db6b683b1f59ea47837e09c5e6be626175a20c88b7f
                                                                • Instruction Fuzzy Hash: B501A130A08A5D4FDBD4EF6880411F9B7B0FF55300B12157AD42DD3191EF26A881CB91
                                                                Function 00007FFCCE4374AD Relevance: .1, Instructions: 52COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17298696405.00007FFCCE430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCE430000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffcce430000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ff802ccb9bcfdf1821cae51c4b3012c990ad4d28e931f52c724d78354bc36a45
                                                                • Instruction ID: 93bf8c1bb4120c57628584b97deb7e115d466f8a18beaccdde986fad23541fb0
                                                                • Opcode Fuzzy Hash: ff802ccb9bcfdf1821cae51c4b3012c990ad4d28e931f52c724d78354bc36a45
                                                                • Instruction Fuzzy Hash: 36014C6590DBC50FD345DF7D58981A2BFD1DFA1225B2846FBD488CB29BD8289804C3E1
                                                                Function 00007FFCCE43AB9F Relevance: .0, Instructions: 49COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17298696405.00007FFCCE430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCE430000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffcce430000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0af6a8df2b95ba5c2babb1636eb63cb4d8d8a48b48060b5f9da967bc0d2a548d
                                                                • Instruction ID: c3e5ca1644b182aea80c552e088f4a3fe5a0142babfea4cbad8913edc47cd8ba
                                                                • Opcode Fuzzy Hash: 0af6a8df2b95ba5c2babb1636eb63cb4d8d8a48b48060b5f9da967bc0d2a548d
                                                                • Instruction Fuzzy Hash: E5F0623260CB184F9754EE0CE8825F6B3E0EB94330B54866BD48BC351AED29F4478BC2
                                                                Function 00007FFCCE443D29 Relevance: .0, Instructions: 36COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17298696405.00007FFCCE430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCE430000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffcce430000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ba274202685b09aab2960c37c126720f54065d79a3462cf7fd655dca0171b636
                                                                • Instruction ID: 5ff497580ec99bd00092d0f1555bcdfa0a251dc1bdf6c9fec0d4c8f6c82a47cb
                                                                • Opcode Fuzzy Hash: ba274202685b09aab2960c37c126720f54065d79a3462cf7fd655dca0171b636
                                                                • Instruction Fuzzy Hash: F5F0A022B4E99E4F9691FEAC58546787382EB59A50F2045BAC00FC72A7ED289C09C3C0
                                                                Function 00007FFCCE432F18 Relevance: .0, Instructions: 35COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17298696405.00007FFCCE430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCE430000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffcce430000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c8c56a06cc105d91e422fa917a7c94535e6243158fa36c546da7f57c9dfebc84
                                                                • Instruction ID: 3ced279903a972bfffef4b06d24134657fe52a188047f5a704c35c6e68ff5627
                                                                • Opcode Fuzzy Hash: c8c56a06cc105d91e422fa917a7c94535e6243158fa36c546da7f57c9dfebc84
                                                                • Instruction Fuzzy Hash: ABF0A731E149080B9748DE6D988867376D2DBD8331B74C2B7E41CC72AED9349441C2D0
                                                                Function 00007FFCCDF731D1 Relevance: .0, Instructions: 35COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17286450979.00007FFCCDF70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCDF70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffccdf70000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5579c37a90503c658476c03ee75c9850baea8a6aa79170d9d6fec5f48367d0ec
                                                                • Instruction ID: 87ea6ac6f932e2656820d01e7b3c7297bdeebe0d72d2406e463c23977a6bd9ed
                                                                • Opcode Fuzzy Hash: 5579c37a90503c658476c03ee75c9850baea8a6aa79170d9d6fec5f48367d0ec
                                                                • Instruction Fuzzy Hash: 0D01F67190E7C89FCB92DF28C8914997FF0FF46210B46099AF888CB152E225D954CB42
                                                                Function 00007FFCCDF7D232 Relevance: .0, Instructions: 35COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17286450979.00007FFCCDF70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCDF70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffccdf70000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 13e0ceb0aadec4e7e1585873d6b76c4d1ebc0d7a878a425953097ca451f39866
                                                                • Instruction ID: 04de463d651bde9020b409f99f4cfba194aba59790611e68c54016a3b14b1612
                                                                • Opcode Fuzzy Hash: 13e0ceb0aadec4e7e1585873d6b76c4d1ebc0d7a878a425953097ca451f39866
                                                                • Instruction Fuzzy Hash: 01F0B42070D9E98FEA94AB7C44211E42290FF8E70575210BAD409CB197D8259C05C361
                                                                Function 00007FFCCDF70615 Relevance: .0, Instructions: 32COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17286450979.00007FFCCDF70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCDF70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffccdf70000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 01c0f43c64608fad8a22e304bfc287d950aab3bfeb26056ce9a6bfe2d0d29a8a
                                                                • Instruction ID: 83d3eafb66a2470520b091005c103e5e952355483f68c60b2a03b712e3f67256
                                                                • Opcode Fuzzy Hash: 01c0f43c64608fad8a22e304bfc287d950aab3bfeb26056ce9a6bfe2d0d29a8a
                                                                • Instruction Fuzzy Hash: 73F0A03160C98C8FCB11EE68E8618ED7B70FF56318B0511A7D04DCB452EA21A959CB92

                                                                Non-executed Functions

                                                                Function 00007FFCCE433D0D Relevance: 2.6, Strings: 1, Instructions: 1331COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17298696405.00007FFCCE430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCE430000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffcce430000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: {$
                                                                • API String ID: 0-351916144
                                                                • Opcode ID: 83d3bc10c1dabec4e547751b593354142fe00f395de1f513e5d9be807645fae1
                                                                • Instruction ID: 8a33ecf1e9920c0c95d623fe2417ce10f5f888aeb7722ea5669b07c57eb3a8ff
                                                                • Opcode Fuzzy Hash: 83d3bc10c1dabec4e547751b593354142fe00f395de1f513e5d9be807645fae1
                                                                • Instruction Fuzzy Hash: 38B2747060CB898FD7A9DF18C4596EAB7E1FF99310F10466ED09DC72A6DE34A841CB42
                                                                Function 00007FFCCDF76BB0 Relevance: 1.9, Strings: 1, Instructions: 693COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17286450979.00007FFCCDF70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCDF70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffccdf70000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 3n_H
                                                                • API String ID: 0-3300386368
                                                                • Opcode ID: 83ebbc50111a9a761de22d0f071aadaa89af7e9297b93ca84c124b4986541025
                                                                • Instruction ID: 25d08c46a60ed25ced4b936cde4c34d3313d18ee6b7efc5c4f321dfd54629bb6
                                                                • Opcode Fuzzy Hash: 83ebbc50111a9a761de22d0f071aadaa89af7e9297b93ca84c124b4986541025
                                                                • Instruction Fuzzy Hash: 09327031B0899E8FEB94EF68C454BB9B7A1FF58310F551179D01EC7186EE28E882C790
                                                                Function 00007FFCCE433600 Relevance: .8, Instructions: 787COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17298696405.00007FFCCE430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCE430000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffcce430000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 97644597fe12e83d8b1a1d1872d85fe5186b75dff2e598580f7895c261a92c0d
                                                                • Instruction ID: 21ba93419b971abb6ad3a723978e39777e088a9bc383f9fc1c289a23c83c8720
                                                                • Opcode Fuzzy Hash: 97644597fe12e83d8b1a1d1872d85fe5186b75dff2e598580f7895c261a92c0d
                                                                • Instruction Fuzzy Hash: 60320971A0CF8A4FE799DF2C98591767BE2EF9A310B1506BFD08DC7296DE259801C342
                                                                Function 00007FFCCE430A2A Relevance: .8, Instructions: 760COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17298696405.00007FFCCE430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCE430000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffcce430000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: cd78fed1df646b2c256d3d90c2c1398a96a554b6dbfc2c5ac1e5ad2d1eccc0ea
                                                                • Instruction ID: 8b9b13a27f1dab8cd3547f4f80d39bc94ef86e91858d645d95a43e366056d8db
                                                                • Opcode Fuzzy Hash: cd78fed1df646b2c256d3d90c2c1398a96a554b6dbfc2c5ac1e5ad2d1eccc0ea
                                                                • Instruction Fuzzy Hash: 3832E271A0CE898FE7A8DF2C985566977E1FF99310F10467ED09DC32A6DE349802C786
                                                                Function 00007FFCCDF74A2E Relevance: .7, Instructions: 664COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17286450979.00007FFCCDF70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCDF70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffccdf70000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4d8a85d29740e7914122fe1ea082d25cfa70f24641c8a34757d714d4707028f2
                                                                • Instruction ID: 69fbbfe364670680ff64d8f68c44e014234c0a8c04492e810bc35bede827f420
                                                                • Opcode Fuzzy Hash: 4d8a85d29740e7914122fe1ea082d25cfa70f24641c8a34757d714d4707028f2
                                                                • Instruction Fuzzy Hash: 0C122221B0CEDA4FE755EB6888506B577D1FF85310F1901BED49ECB197EE28A806C3A1
                                                                Function 00007FFCCE444EE9 Relevance: .6, Instructions: 583COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17298696405.00007FFCCE430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCE430000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffcce430000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 88d7d3e82187acb6c0d9c57d1785e409f6393c8c174e254273175cf80f16e42b
                                                                • Instruction ID: 3369bdb7a35d9dc63a35593e9af213fc23150c3e7f48f03c33a3ba6384a01873
                                                                • Opcode Fuzzy Hash: 88d7d3e82187acb6c0d9c57d1785e409f6393c8c174e254273175cf80f16e42b
                                                                • Instruction Fuzzy Hash: 57022530A0CA8A8FE759DF2CC45467577E1FF5A344B2415BFD04AC76A3DA39A842C750
                                                                Function 00007FFCCDF726E0 Relevance: 5.2, Strings: 4, Instructions: 214COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.17286450979.00007FFCCDF70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCCDF70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffccdf70000_Microsoft.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: {_^${_^${_^${_^
                                                                • API String ID: 0-2527062091
                                                                • Opcode ID: 77ee437e0885eb72d64245cb88ec0d86651627bc6f7f5ccfe19aa6ed0b67143c
                                                                • Instruction ID: 51684b0cc01229c57abec0a045f03d160faf8080231855cc1ec7e133dffc5246
                                                                • Opcode Fuzzy Hash: 77ee437e0885eb72d64245cb88ec0d86651627bc6f7f5ccfe19aa6ed0b67143c
                                                                • Instruction Fuzzy Hash: A0610553A085E64BE602BA3D9CAA5E63FA0FF16324709007BD5DA4B287FC0C6147C2F5