Joe Sandbox Cloud Basic Analysis Report
Play interactive tourEdit tour

Windows Analysis Report EXCEL.EXE

Overview

General Information

Sample Name:EXCEL.EXE
Analysis ID:465987
MD5:496679cae38de68d86b4ae99d7126414
SHA1:6fd1b77e69024637030f59405c7a159840eb5fcf
SHA256:46554daf7a4a6082bb1faf1ff143c60c4f6701279c47e4563a6a2a53f0b5b5e0
Infos:

Most interesting Screenshot:

Detection

Score:3
Range:0 - 100
Whitelisted:false
Confidence:40%

Signatures

Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Tries to load missing DLLs
Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 5532 cmdline: 'C:\Users\user\Desktop\EXCEL.EXE' MD5: 496679CAE38DE68D86B4AE99D7126414)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: EXCEL.EXEStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
Source: EXCEL.EXEStatic PE information: certificate valid
Source: EXCEL.EXEStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: cel.pdb source: EXCEL.EXE
Source: Binary string: P:\Target\x86\ship\xl\x-none\excel.pdbcel.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: EXCEL.EXE
Source: Binary string: P:\Target\x86\ship\xl\x-none\excel.pdb source: EXCEL.EXE
Source: EXCEL.EXEString found in binary or memory: http://127.0.0.1http://
Source: EXCEL.EXE, 00000000.00000002.533237258.000000000F8F5000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: EXCEL.EXE, 00000000.00000002.533617598.000000000FB36000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
Source: EXCEL.EXE, 00000000.00000002.533237258.000000000F8F5000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
Source: EXCEL.EXE, 00000000.00000002.533237258.000000000F8F5000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: EXCEL.EXE, 00000000.00000002.531814224.000000000D986000.00000004.00000001.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/drawingml/diagramll
Source: EXCEL.EXEString found in binary or memory: http://purl.oclc.org/ooxml/drawingml/table
Source: EXCEL.EXE, 00000000.00000002.535442384.0000000012290000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: EXCEL.EXE, 00000000.00000002.533617598.000000000FB36000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: EXCEL.EXE, 00000000.00000002.533617598.000000000FB36000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: EXCEL.EXE, 00000000.00000002.533617598.000000000FB36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
Source: EXCEL.EXE, 00000000.00000002.533617598.000000000FB36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
Source: EXCEL.EXE, 00000000.00000002.533617598.000000000FB36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
Source: EXCEL.EXE, 00000000.00000002.533617598.000000000FB36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: EXCEL.EXE, 00000000.00000002.533617598.000000000FB36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: EXCEL.EXE, 00000000.00000002.533617598.000000000FB36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
Source: EXCEL.EXE, 00000000.00000002.533617598.000000000FB36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
Source: EXCEL.EXE, 00000000.00000002.533617598.000000000FB36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
Source: EXCEL.EXE, 00000000.00000002.533617598.000000000FB36000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
Source: EXCEL.EXE, 00000000.00000002.533617598.000000000FB36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: EXCEL.EXE, 00000000.00000002.533617598.000000000FB36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: EXCEL.EXE, 00000000.00000002.533617598.000000000FB36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: EXCEL.EXE, 00000000.00000002.533617598.000000000FB36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: EXCEL.EXE, 00000000.00000002.533617598.000000000FB36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: EXCEL.EXE, 00000000.00000002.533617598.000000000FB36000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: EXCEL.EXE, 00000000.00000002.533617598.000000000FB36000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: EXCEL.EXEString found in binary or memory: http://www.msn.com4
Source: EXCEL.EXE, 00000000.00000002.533617598.000000000FB36000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: EXCEL.EXE, 00000000.00000002.533617598.000000000FB36000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
Source: EXCEL.EXE, 00000000.00000002.533617598.000000000FB36000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: EXCEL.EXE, 00000000.00000002.533617598.000000000FB36000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
Source: EXCEL.EXE, 00000000.00000002.533617598.000000000FB36000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
Source: EXCEL.EXE, 00000000.00000002.533617598.000000000FB36000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
Source: EXCEL.EXE, 00000000.00000002.533617598.000000000FB36000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
Source: EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionloggingL
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: EXCEL.EXE, 00000000.00000003.248626435.000000000F9D7000.00000004.00000001.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/app/downloadgmAppInfoQuery15https://api.addins.omex.offi
Source: EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: EXCEL.EXE, 00000000.00000003.248650939.000000000F9B1000.00000004.00000001.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalledMBI_SSL_SHORT
Source: EXCEL.EXE, 00000000.00000003.461787756.000000000F913000.00000004.00000001.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalledd
Source: EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticatedX
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: EXCEL.EXE, 00000000.00000003.248626435.000000000F9D7000.00000004.00000001.sdmpString found in binary or memory: https://addinslicensing.store.office.com/commerce/queryDeepLinkingServicehttps://store.office.com/ad
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: EXCEL.EXE, 00000000.00000002.535442384.0000000012290000.00000004.00000001.sdmpString found in binary or memory: https://analysis.windows.net/powerbi/apiO
Source: EXCEL.EXE, 00000000.00000002.535442384.0000000012290000.00000004.00000001.sdmpString found in binary or memory: https://analysis.windows.net/powerbi/apiv
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech:
Source: EXCEL.EXE, 00000000.00000003.248626435.000000000F9D7000.00000004.00000001.sdmpString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechBearer
Source: EXCEL.EXE, 00000000.00000002.531814224.000000000D986000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248793939.000000000F9AC000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://api.aadrm.com/
Source: EXCEL.EXE, 00000000.00000003.461955622.000000000F9E6000.00000004.00000001.sdmpString found in binary or memory: https://api.aadrm.com/=:sh?
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
Source: EXCEL.EXE, 00000000.00000003.248626435.000000000F9D7000.00000004.00000001.sdmpString found in binary or memory: https://api.addins.store.office.com/app/querychAppStateQuery15https://api.addins.omex.office.net/app
Source: 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://api.cortana.ai
Source: EXCEL.EXE, 00000000.00000003.248638674.0000000012291000.00000004.00000001.sdmpString found in binary or memory: https://api.cortana.aiBearer
Source: EXCEL.EXE, 00000000.00000003.248638674.0000000012291000.00000004.00000001.sdmpString found in binary or memory: https://api.cortana.aihttps://login.windows.net/common/oauth2/authorize
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://api.cortana.aip
Source: 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://api.diagnostics.office.com
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://api.diagnostics.office.comB
Source: EXCEL.EXE, 00000000.00000003.248638674.0000000012291000.00000004.00000001.sdmpString found in binary or memory: https://api.diagnostics.office.comBearer
Source: EXCEL.EXE, 00000000.00000003.461787756.000000000F913000.00000004.00000001.sdmpString found in binary or memory: https://api.diagnostics.office.comUrl
Source: EXCEL.EXE, 00000000.00000003.248638674.0000000012291000.00000004.00000001.sdmpString found in binary or memory: https://api.diagnostics.office.comhttps://login.windows.net/common/oauth2/authorize
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: EXCEL.EXE, 00000000.00000003.248650939.000000000F9B1000.00000004.00000001.sdmpString found in binary or memory: https://api.microsoftstream.com/api/eAStreamVideoBasehttps://web.microsoftstream.com/video/ioPPTQuic
Source: EXCEL.EXE, 00000000.00000003.461787756.000000000F913000.00000004.00000001.sdmpString found in binary or memory: https://api.microsoftstream.com/api/ntZvUjZ
Source: EXCEL.EXE, 00000000.00000003.461877346.000000000F9AC000.00000004.00000001.sdmpString found in binary or memory: https://api.microsoftstreap-
Source: 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://api.office.net
Source: EXCEL.EXE, 00000000.00000003.461955622.000000000F9E6000.00000004.00000001.sdmpString found in binary or memory: https://api.office.net8=
Source: EXCEL.EXE, 00000000.00000003.461955622.000000000F9E6000.00000004.00000001.sdmpString found in binary or memory: https://api.office.netp46n
Source: EXCEL.EXE, 00000000.00000003.461787756.000000000F913000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://api.onedrive.com
Source: EXCEL.EXE, 00000000.00000003.248650939.000000000F9B1000.00000004.00000001.sdmpString found in binary or memory: https://api.onedrive.comMBI
Source: EXCEL.EXE, 00000000.00000002.535442384.0000000012290000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: EXCEL.EXE, 00000000.00000002.535442384.0000000012290000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://apis.live.net/v5.0/
Source: EXCEL.EXE, 00000000.00000003.461787756.000000000F913000.00000004.00000001.sdmpString found in binary or memory: https://apis.live.net/v5.0/neb
Source: EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://arc.msn.com/v4/api/selectionq
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248793939.000000000F9AC000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: EXCEL.EXE, 00000000.00000003.248626435.000000000F9D7000.00000004.00000001.sdmpString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/OneNoteBulletinshttps://
Source: EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://augloop.office.com
Source: 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://augloop.office.com/v2
Source: EXCEL.EXE, 00000000.00000003.248638674.0000000012291000.00000004.00000001.sdmpString found in binary or memory: https://augloop.office.com/v2Bearer
Source: EXCEL.EXE, 00000000.00000003.248638674.0000000012291000.00000004.00000001.sdmpString found in binary or memory: https://augloop.office.com/v2https://login.windows.net/common/oauth2/authorize
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://augloop.office.com1
Source: EXCEL.EXE, 00000000.00000003.248638674.0000000012291000.00000004.00000001.sdmpString found in binary or memory: https://augloop.office.comLinkRequestApiPageTitleRetrievalhttps://uci.
Source: EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.461877346.000000000F9AC000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://cdn.entity.
Source: EXCEL.EXE, 00000000.00000003.461787756.000000000F913000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.461900280.000000000F9BB000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: EXCEL.EXE, 00000000.00000003.248650939.000000000F9B1000.00000004.00000001.sdmpString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.pngd
Source: EXCEL.EXE, 00000000.00000003.461900280.000000000F9BB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248650939.000000000F9B1000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell)
Source: EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: EXCEL.EXE, 00000000.00000003.461787756.000000000F913000.00000004.00000001.sdmpString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsellig
Source: EXCEL.EXE, 00000000.00000003.248650939.000000000F9B1000.00000004.00000001.sdmpString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpselln
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.461900280.000000000F9BB000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://clients.config.office.net/
Source: EXCEL.EXE, 00000000.00000003.461787756.000000000F913000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/&
Source: EXCEL.EXE, 00000000.00000003.248650939.000000000F9B1000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/Bearer
Source: EXCEL.EXE, 00000000.00000003.248650939.000000000F9B1000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/https://login.windows.net/common/oauth2/authorize
Source: EXCEL.EXE, 00000000.00000003.248650939.000000000F9B1000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/https://login.windows.net/common/oauth2/authorizeIm
Source: 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: EXCEL.EXE, 00000000.00000003.248650939.000000000F9B1000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policieshttps://login.windows.net/common/oauth2/
Source: 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: EXCEL.EXE, 00000000.00000002.535442384.0000000012290000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/ios1
Source: EXCEL.EXE, 00000000.00000003.248650939.000000000F9B1000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/iosBearer
Source: EXCEL.EXE, 00000000.00000003.248650939.000000000F9B1000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/ioshttps://login.windows.net/common/oauth2/authorizee=
Source: 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: EXCEL.EXE, 00000000.00000003.248650939.000000000F9B1000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/macBearer
Source: EXCEL.EXE, 00000000.00000003.248650939.000000000F9B1000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/machttps://login.windows.net/common/oauth2/authorizeoo
Source: 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: EXCEL.EXE, 00000000.00000003.248650939.000000000F9B1000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkeyBearer
Source: EXCEL.EXE, 00000000.00000003.248650939.000000000F9B1000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkeyhttps://login.windows.net/common/oau
Source: EXCEL.EXE, 00000000.00000003.461787756.000000000F913000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkeyody
Source: EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx0
Source: EXCEL.EXE, 00000000.00000003.248626435.000000000F9D7000.00000004.00000001.sdmpString found in binary or memory: https://cloudfiles.onenote.com/upload.aspxOneNoteCloudFilesConsumerEmbedhttps://onedrive.live.com/em
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.461900280.000000000F9BB000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://config.edge.skype.com
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.461900280.000000000F9BB000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: EXCEL.EXE, 00000000.00000003.461900280.000000000F9BB000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://config.edge.skype.com/config/v2/OfficeA
Source: 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://cortana.ai
Source: 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://cortana.ai/api
Source: EXCEL.EXE, 00000000.00000003.248638674.0000000012291000.00000004.00000001.sdmpString found in binary or memory: https://cortana.ai/apiBearer
Source: EXCEL.EXE, 00000000.00000003.248638674.0000000012291000.00000004.00000001.sdmpString found in binary or memory: https://cortana.ai/apihttps://login.windows.net/common/oauth2/authorize
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://cortana.ail
Source: EXCEL.EXE, 00000000.00000003.461955622.000000000F9E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://cr.office.com
Source: 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://dataservice.o365filtering.com
Source: 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: EXCEL.EXE, 00000000.00000003.248626435.000000000F9D7000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.com/https://login.windows.net/common/oauth2/authorize
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.comP
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.comn
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: EXCEL.EXE, 00000000.00000003.248626435.000000000F9D7000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesBearer
Source: 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://dev.cortana.ai
Source: EXCEL.EXE, 00000000.00000003.248638674.0000000012291000.00000004.00000001.sdmpString found in binary or memory: https://dev.cortana.aiBearer
Source: EXCEL.EXE, 00000000.00000003.248638674.0000000012291000.00000004.00000001.sdmpString found in binary or memory: https://dev.cortana.aihttps://login.windows.net/common/oauth2/authorize
Source: EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/S
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://devnull.onenote.com
Source: EXCEL.EXE, 00000000.00000003.248626435.000000000F9D7000.00000004.00000001.sdmpString found in binary or memory: https://devnull.onenote.comBearer
Source: EXCEL.EXE, 00000000.00000003.248626435.000000000F9D7000.00000004.00000001.sdmpString found in binary or memory: https://devnull.onenote.comMBI_SSL_SHORT
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://devnull.onenote.comt
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248650939.000000000F9B1000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://directory.services.
Source: EXCEL.EXE, 00000000.00000003.461900280.000000000F9BB000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://ecs.office.com/config/v2/OfficeX
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.461900280.000000000F9BB000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://enrichment.osi.office.net/
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/.
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/1
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.461900280.000000000F9BB000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: EXCEL.EXE, 00000000.00000003.248638674.0000000012291000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1AuthorizationBearer
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.461900280.000000000F9BB000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: EXCEL.EXE, 00000000.00000003.461900280.000000000F9BB000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1W
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.461900280.000000000F9BB000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: EXCEL.EXE, 00000000.00000003.461900280.000000000F9BB000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v15
Source: EXCEL.EXE, 00000000.00000003.248638674.0000000012291000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1EnrichmentWACUrlhttps://enrichment.osi.
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.461900280.000000000F9BB000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: EXCEL.EXE, 00000000.00000003.248638674.0000000012291000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/EnrichmentMetadataUrlhttps://enrichm
Source: EXCEL.EXE, 00000000.00000003.461900280.000000000F9BB000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.jsonF
Source: EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml-
Source: EXCEL.EXE, 00000000.00000003.248638674.0000000012291000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtmlEnrichmentDisambiguat
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.461900280.000000000F9BB000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: EXCEL.EXE, 00000000.00000003.248638674.0000000012291000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/https://login.windows.net/common/oauth2/authorizeMBI_SSLhttps://os
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.461900280.000000000F9BB000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.461900280.000000000F9BB000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: EXCEL.EXE, 00000000.00000003.461787756.000000000F913000.00000004.00000001.sdmpString found in binary or memory: https://entity.osi.office.net/t
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: EXCEL.EXE, 00000000.00000003.248626435.000000000F9D7000.00000004.00000001.sdmpString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechBearer
Source: EXCEL.EXE, 00000000.00000003.461787756.000000000F913000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: EXCEL.EXE, 00000000.00000003.248626435.000000000F9D7000.00000004.00000001.sdmpString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-androidUserVoiceOf
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.461900280.000000000F9BB000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://graph.ppe.windows.net
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://graph.ppe.windows.net/
Source: EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://graph.windows.net
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://graph.windows.net/
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://graph.windows.net/H
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://graph.windows.netZ
Source: EXCEL.EXE, 00000000.00000002.533223086.000000000F8ED000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.531814224.000000000D986000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: EXCEL.EXE, 00000000.00000003.248650939.000000000F9B1000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetryosOfficeOnlineContenthttps://insertmedi
Source: EXCEL.EXE, 00000000.00000003.461787756.000000000F913000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.531814224.000000000D986000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: EXCEL.EXE, 00000000.00000002.531814224.000000000D986000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: EXCEL.EXE, 00000000.00000003.461787756.000000000F913000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d5
Source: EXCEL.EXE, 00000000.00000002.531814224.000000000D986000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: EXCEL.EXE, 00000000.00000003.461787756.000000000F913000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1O
Source: EXCEL.EXE, 00000000.00000002.531814224.000000000D986000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: EXCEL.EXE, 00000000.00000003.461787756.000000000F913000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: EXCEL.EXE, 00000000.00000002.531814224.000000000D986000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: EXCEL.EXE, 00000000.00000003.461787756.000000000F913000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1rev=
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.531814224.000000000D986000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: EXCEL.EXE, 00000000.00000003.248650939.000000000F9B1000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?OfficeOnlineContentM365Iconshttps://hu
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: EXCEL.EXE, 00000000.00000003.248626435.000000000F9D7000.00000004.00000001.sdmpString found in binary or memory: https://incidents.diagnosticssdf.office.comidODSPPEUrlhttps://o365diagnosticsppe-web.cloudapp.netODS
Source: EXCEL.EXE, 00000000.00000003.461787756.000000000F913000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveApp6
Source: EXCEL.EXE, 00000000.00000002.531814224.000000000D986000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: EXCEL.EXE, 00000000.00000002.531814224.000000000D986000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: EXCEL.EXE, 00000000.00000003.461787756.000000000F913000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing?-
Source: EXCEL.EXE, 00000000.00000002.533099894.000000000F810000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.531814224.000000000D986000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: EXCEL.EXE, 00000000.00000003.248650939.000000000F9B1000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArtOfficeOnlineContentF
Source: EXCEL.EXE, 00000000.00000002.533099894.000000000F810000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.531814224.000000000D986000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: EXCEL.EXE, 00000000.00000003.461787756.000000000F913000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.531814224.000000000D986000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: EXCEL.EXE, 00000000.00000003.248650939.000000000F9B1000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrMBI_SSL_SHORTssl.
Source: EXCEL.EXE, 00000000.00000002.531814224.000000000D986000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: EXCEL.EXE, 00000000.00000002.533099894.000000000F810000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDriveI
Source: EXCEL.EXE, 00000000.00000003.248650939.000000000F9B1000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDriveMBI_SSL_SHORTssl.
Source: EXCEL.EXE, 00000000.00000003.461787756.000000000F913000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.531814224.000000000D986000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: EXCEL.EXE, 00000000.00000003.248650939.000000000F9B1000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmediaMBI_SSL_SHORTofficeapps.
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: EXCEL.EXE, 00000000.00000003.248626435.000000000F9D7000.00000004.00000001.sdmpString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeechBearer
Source: 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://lifecycle.office.com
Source: EXCEL.EXE, 00000000.00000003.248626435.000000000F9D7000.00000004.00000001.sdmpString found in binary or memory: https://lifecycle.office.comMBI_SSL_SHORThttps://lifecycle.office.comco8
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://login.microsoftonline.com/
Source: 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize:;
Source: EXCEL.EXE, 00000000.00000003.248626435.000000000F9D7000.00000004.00000001.sdmpString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorizees
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorizeo;
Source: EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://login.windows.local
Source: EXCEL.EXE, 00000000.00000003.461787756.000000000F913000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.localtes
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.461900280.000000000F9BB000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize$;9nH
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize%8:oY
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize&9;lj
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize(
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize.
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize/?4j
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize1
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize3
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize59
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize8=%h$
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize9:&i5
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize;8
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeA
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeC
Source: EXCEL.EXE, 00000000.00000003.461787756.000000000F913000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeG
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeH:
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeI;
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeK9
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeM?
Source: EXCEL.EXE, 00000000.00000003.248638674.0000000012291000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeMBI_SSL_SHORT
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248591724.00000000122E1000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeN
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeP
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeR
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeS
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeT6
Source: EXCEL.EXE, 00000000.00000003.461787756.000000000F913000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeV
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeW
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeZ9
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize_:
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizea
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeb
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizec
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizecom~;
Source: EXCEL.EXE, 00000000.00000003.461787756.000000000F913000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorized
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeg
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizei9
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeize
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeizeL
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeizeY8
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248591724.00000000122E1000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizel
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizem=
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizen:
Source: EXCEL.EXE, 00000000.00000003.248626435.000000000F9D7000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeo:
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeq
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizer
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizes
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizete2
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeu
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizev
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizex9
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizey6
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizez7
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: EXCEL.EXE, 00000000.00000003.248626435.000000000F9D7000.00000004.00000001.sdmpString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1MBI_SSL_SHORT
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.461900280.000000000F9BB000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://management.azure.com
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://management.azure.com/
Source: EXCEL.EXE, 00000000.00000003.248626435.000000000F9D7000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://messaging.office.com/
Source: EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://metadata.templates.cdn.office.net/client/log#
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.461900280.000000000F9BB000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: EXCEL.EXE, 00000000.00000003.248638674.0000000012291000.00000004.00000001.sdmpString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicyBearer
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: EXCEL.EXE, 00000000.00000003.248626435.000000000F9D7000.00000004.00000001.sdmpString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechBearer
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechh
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248626435.000000000F9D7000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://ncus.contentsync.
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248626435.000000000F9D7000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://ncus.pagecontentsync.
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.518361003.00000000028CA000.00000004.00000020.sdmpString found in binary or memory: https://nexus.officeapps.live.com
Source: EXCEL.EXE, 00000000.00000003.461787756.000000000F913000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.com/nexus/(
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.com/nexus/rules
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.com/nexus/rules?Application=excel.exe&Version=16.0.4954.1000&ClientId=
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.com2BE
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: EXCEL.EXE, 00000000.00000003.248626435.000000000F9D7000.00000004.00000001.sdmpString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecordhttps://login.windows.net/co
Source: EXCEL.EXE, 00000000.00000003.248626435.000000000F9D7000.00000004.00000001.sdmpString found in binary or memory: https://o365auditrealtimeingestion.manage.office.comBearer
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.461900280.000000000F9BB000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.461787756.000000000F913000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248591724.00000000122E1000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://officeapps.live.com
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com#
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com%
Source: EXCEL.EXE, 00000000.00000003.461787756.000000000F913000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com%)
Source: EXCEL.EXE, 00000000.00000003.248745400.000000000F913000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com%)Ze
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com/
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com5
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com8)
Source: EXCEL.EXE, 00000000.00000003.248591724.00000000122E1000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comFP
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comK
Source: EXCEL.EXE, 00000000.00000003.461787756.000000000F913000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comU
Source: EXCEL.EXE, 00000000.00000003.461787756.000000000F913000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.coma
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comg
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comi
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.coms
Source: EXCEL.EXE, 00000000.00000003.461787756.000000000F913000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comx
Source: EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://officeci.azurewebsites.net/api/k
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.461900280.000000000F9BB000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.461900280.000000000F9BB000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.531814224.000000000D986000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: EXCEL.EXE, 00000000.00000003.461787756.000000000F913000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.531814224.000000000D986000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: EXCEL.EXE, 00000000.00000002.531814224.000000000D986000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.liv
Source: 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://onedrive.live.com
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://onedrive.live.com/embed?
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/embed?f
Source: EXCEL.EXE, 00000000.00000003.248650939.000000000F9B1000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.comOneDriveLogUploadServicehttps://storage.live.com/clientlogs/uploadlocationM
Source: EXCEL.EXE, 00000000.00000003.461787756.000000000F913000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.comed
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.461900280.000000000F9BB000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://osi.office.net
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://osi.office.net/
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://osi.office.netN
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://osi.office.netst
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office.com
Source: EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.461877346.000000000F9AC000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://outlook.office.com/
Source: EXCEL.EXE, 00000000.00000002.533099894.000000000F810000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office.comY
Source: EXCEL.EXE, 00000000.00000003.461787756.000000000F913000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.461877346.000000000F9AC000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://outlook.office365.com/
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: EXCEL.EXE, 00000000.00000003.248638674.0000000012291000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/api/v1.0/me/ActivitiesMBI_SSL
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.461900280.000000000F9BB000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: EXCEL.EXE, 00000000.00000003.248638674.0000000012291000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.jsonSubstrateOfficeIntelligenceServicehttps:
Source: EXCEL.EXE, 00000000.00000003.248626435.000000000F9D7000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.jsonicBIVisualHostAgaveUrlhttps://ovisualuia
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.461900280.000000000F9BB000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: EXCEL.EXE, 00000000.00000003.248626435.000000000F9D7000.00000004.00000001.sdmpString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=OutlookMBI_SSL_SHORT
Source: EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://pages.store.office.com/review/query
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://pages.store.office.com/review/queryJ
Source: EXCEL.EXE, 00000000.00000003.248626435.000000000F9D7000.00000004.00000001.sdmpString found in binary or memory: https://pages.store.office.com/review/queryTemplateStarthttps://
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: EXCEL.EXE, 00000000.00000003.248626435.000000000F9D7000.00000004.00000001.sdmpString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx=
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: EXCEL.EXE, 00000000.00000003.461787756.000000000F913000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: EXCEL.EXE, 00000000.00000003.248650939.000000000F9B1000.00000004.00000001.sdmpString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonMBI_SSLpeople.directory.
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: EXCEL.EXE, 00000000.00000003.248650939.000000000F9B1000.00000004.00000001.sdmpString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.jsonMBI_SSL_SHORTssl.
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: EXCEL.EXE, 00000000.00000003.461787756.000000000F913000.00000004.00000001.sdmpString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13ache
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.461914493.000000000F9C6000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: EXCEL.EXE, 00000000.00000003.248638674.0000000012291000.00000004.00000001.sdmpString found in binary or memory: https://powerlift-frontdesk.acompli.netPowerLiftGymBaseUrlhttps://powerlift.acompli.netSubstrateOffi
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.461914493.000000000F9C6000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://powerlift.acompli.net
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: EXCEL.EXE, 00000000.00000003.248650939.000000000F9B1000.00000004.00000001.sdmpString found in binary or memory: https://res.getmicrosoftkey.com/a
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.531814224.000000000D986000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://roaming.edog.
Source: EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.comh8
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://settings.outlook.com
Source: EXCEL.EXE, 00000000.00000003.461900280.000000000F9BB000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://shell.suite.office.com:1443
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://shell.suite.office.com:1443J
Source: EXCEL.EXE, 00000000.00000003.461787756.000000000F913000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248650939.000000000F9B1000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work1
Source: EXCEL.EXE, 00000000.00000003.248638674.0000000012291000.00000004.00000001.sdmpString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/workPowerBIGetDatasetsApihttps://api.pow
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/workV
Source: EXCEL.EXE, 00000000.00000003.248638674.0000000012291000.00000004.00000001.sdmpString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/workhttps://login.windows.net/common/oau
Source: 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://staging.cortana.ai
Source: EXCEL.EXE, 00000000.00000003.248638674.0000000012291000.00000004.00000001.sdmpString found in binary or memory: https://staging.cortana.aiBearer
Source: EXCEL.EXE, 00000000.00000003.248638674.0000000012291000.00000004.00000001.sdmpString found in binary or memory: https://staging.cortana.aihttps://login.windows.net/common/oauth2/authorize
Source: EXCEL.EXE, 00000000.00000002.531814224.000000000D986000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: EXCEL.EXE, 00000000.00000003.461787756.000000000F913000.00000004.00000001.sdmpString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation0
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://store.office.com/addinstemplate
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://store.office.de/addinstemplate
Source: EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
Source: EXCEL.EXE, 00000000.00000003.248626435.000000000F9D7000.00000004.00000001.sdmpString found in binary or memory: https://store.officeppe.com/addinstemplateVaDeepLinkingTemplateshttps://omextemplates.content.office
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://store.officeppe.com/addinstemplate_
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com/Todo-Internal.ReadWritef
Source: 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: EXCEL.EXE, 00000000.00000003.248638674.0000000012291000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com/search/api/v2/initBearer
Source: EXCEL.EXE, 00000000.00000003.248638674.0000000012291000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com/search/api/v2/inithttps://login.windows.net/common/oauth2/authorize
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com9
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.comK
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.comP
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.comW
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.comrlx
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.461900280.000000000F9BB000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: EXCEL.EXE, 00000000.00000003.248638674.0000000012291000.00000004.00000001.sdmpString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileBearer
Source: EXCEL.EXE, 00000000.00000003.461900280.000000000F9BB000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://tasks.office.com
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://tasks.office.comt
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://tellmeservice.osi.office.netst
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: EXCEL.EXE, 00000000.00000003.461787756.000000000F913000.00000004.00000001.sdmpString found in binary or memory: https://web.microsoftstream.com/video/Wv
Source: EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: EXCEL.EXE, 00000000.00000003.248638674.0000000012291000.00000004.00000001.sdmpString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/ExchangeAutoDiscoverhttps:/
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/W
Source: EXCEL.EXE, 00000000.00000003.461787756.000000000F913000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.461900280.000000000F9BB000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://webshell.suite.office.com
Source: EXCEL.EXE, 00000000.00000003.248650939.000000000F9B1000.00000004.00000001.sdmpString found in binary or memory: https://webshell.suite.office.com6LOCSettingsCloudPolicyServiceAndroidUrlhttps://clients.config.offi
Source: EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios_
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248626435.000000000F9D7000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://wus2.contentsync.
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248626435.000000000F9D7000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://wus2.pagecontentsync.
Source: EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: EXCEL.EXE, 00000000.00000003.248626435.000000000F9D7000.00000004.00000001.sdmpString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2Azur
Source: EXCEL.EXE, 00000000.00000003.461787756.000000000F913000.00000004.00000001.sdmpString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2rev=
Source: EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drString found in binary or memory: https://www.odwebp.svc.ms
Source: EXCEL.EXE, 00000000.00000002.518361003.00000000028CA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: EXCEL.EXEStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
Source: EXCEL.EXE, 00000000.00000003.461540287.0000000002980000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameD3D10Warp.dllj% vs EXCEL.EXE
Source: EXCEL.EXE, 00000000.00000002.532869105.000000000E890000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs EXCEL.EXE
Source: EXCEL.EXE, 00000000.00000002.536798004.0000000012910000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamed2d1j% vs EXCEL.EXE
Source: EXCEL.EXE, 00000000.00000002.535248782.0000000011FD0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs EXCEL.EXE
Source: EXCEL.EXE, 00000000.00000002.535332102.0000000012000000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs EXCEL.EXE
Source: EXCEL.EXE, 00000000.00000002.535305766.0000000011FE0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs EXCEL.EXE
Source: EXCEL.EXE, 00000000.00000002.525804373.000000000B3E1000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameXLIntl.dllL vs EXCEL.EXE
Source: EXCEL.EXE, 00000000.00000002.535222847.0000000011FC0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs EXCEL.EXE
Source: EXCEL.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EXCEL.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EXCEL.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EXCEL.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EXCEL.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EXCEL.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EXCEL.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EXCEL.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EXCEL.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EXCEL.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EXCEL.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EXCEL.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EXCEL.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EXCEL.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EXCEL.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EXCEL.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EXCEL.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EXCEL.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EXCEL.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EXCEL.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EXCEL.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EXCEL.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EXCEL.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EXCEL.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EXCEL.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EXCEL.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EXCEL.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EXCEL.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EXCEL.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EXCEL.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EXCEL.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EXCEL.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EXCEL.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EXCEL.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EXCEL.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EXCEL.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EXCEL.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EXCEL.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EXCEL.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EXCEL.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EXCEL.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EXCEL.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EXCEL.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EXCEL.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EXCEL.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EXCEL.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EXCEL.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EXCEL.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EXCEL.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EXCEL.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EXCEL.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EXCEL.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EXCEL.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EXCEL.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EXCEL.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EXCEL.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EXCEL.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: C:\Users\user\Desktop\EXCEL.EXESection loaded: oartgrfserver.dll
Source: EXCEL.EXEStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Users\user\Desktop\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
Source: C:\Users\user\Desktop\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{F31F6C12-3EC3-4549-B1D2-49DCFD7AF8C8} - OProcSessId.datJump to behavior
Source: EXCEL.EXEString found in binary or memory: cell-range-address
Source: EXCEL.EXEString found in binary or memory: rget-range-address
Source: EXCEL.EXEString found in binary or memory: se-cell-address
Source: EXCEL.EXEString found in binary or memory: se-cell-addressot
Source: EXCEL.EXEString found in binary or memory: l-range-address
Source: EXCEL.EXEString found in binary or memory: cell-address
Source: EXCEL.EXEString found in binary or memory: target-range-address
Source: EXCEL.EXEString found in binary or memory: tab-stop-distance
Source: EXCEL.EXEString found in binary or memory: base-cell-address
Source: EXCEL.EXEString found in binary or memory: date-start
Source: EXCEL.EXEString found in binary or memory: GlDft-HelpType
Source: classification engineClassification label: clean3.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\EXCEL.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\EXCEL.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: EXCEL.EXEStatic file information: File size 27126608 > 1048576
Source: initial sampleStatic PE information: Valid certificate with Microsoft Issuer
Source: EXCEL.EXEStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: C:\Users\user\Desktop\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Excel
Source: EXCEL.EXEStatic PE information: certificate valid
Source: EXCEL.EXEStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x1290000
Source: EXCEL.EXEStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x1d4200
Source: EXCEL.EXEStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x3f4e00
Source: EXCEL.EXEStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: EXCEL.EXEStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: EXCEL.EXEStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: EXCEL.EXEStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: EXCEL.EXEStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: EXCEL.EXEStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: EXCEL.EXEStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: EXCEL.EXEStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: cel.pdb source: EXCEL.EXE
Source: Binary string: P:\Target\x86\ship\xl\x-none\excel.pdbcel.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: EXCEL.EXE
Source: Binary string: P:\Target\x86\ship\xl\x-none\excel.pdb source: EXCEL.EXE
Source: EXCEL.EXEStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: EXCEL.EXEStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: EXCEL.EXEStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: EXCEL.EXEStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: EXCEL.EXEStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: EXCEL.EXEStatic PE information: real checksum: 0x19e2e3c should be:
Source: C:\Users\user\Desktop\EXCEL.EXERegistry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\Desktop\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: EXCEL.EXE, 00000000.00000002.531768057.000000000D936000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWX
Source: EXCEL.EXE, 00000000.00000003.461787756.000000000F913000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: EXCEL.EXE, 00000000.00000002.519095224.0000000002F50000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: EXCEL.EXE, 00000000.00000002.519095224.0000000002F50000.00000002.00000001.sdmpBinary or memory string: Progman
Source: EXCEL.EXE, 00000000.00000002.519095224.0000000002F50000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
Source: EXCEL.EXE, 00000000.00000002.519095224.0000000002F50000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
Source: EXCEL.EXE, 00000000.00000002.519095224.0000000002F50000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: C:\Users\user\Desktop\EXCEL.EXEQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsCommand and Scripting Interpreter2DLL Side-Loading1Process Injection1Masquerading1Input Capture1Query Registry1Remote ServicesInput Capture1Exfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Process Injection1LSASS MemorySecurity Software Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)DLL Side-Loading1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery12Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 465987 Sample: EXCEL.EXE Startdate: 16/08/2021 Architecture: WINDOWS Score: 3 4 EXCEL.EXE 19 15 2->4         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
EXCEL.EXE0%VirustotalBrowse
EXCEL.EXE0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://o365auditrealtimeingestion.manage.office.comBearer0%Avira URL Cloudsafe
https://cdn.entity.0%URL Reputationsafe
https://cortana.ai/apihttps://login.windows.net/common/oauth2/authorize0%Avira URL Cloudsafe
http://127.0.0.1http://0%Avira URL Cloudsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://store.officeppe.com/addinstemplateVaDeepLinkingTemplateshttps://omextemplates.content.office0%Avira URL Cloudsafe
http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
http://www.zhongyicts.com.cn0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://officeci.azurewebsites.net/api/0%Avira URL Cloudsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://substrate.office.comrlx0%Avira URL Cloudsafe
https://cortana.ail0%Avira URL Cloudsafe
https://graph.windows.netZ0%Avira URL Cloudsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://api.cortana.aip0%Avira URL Cloudsafe
http://www.carterandcone.coml0%URL Reputationsafe
https://api.onedrive.comMBI0%Avira URL Cloudsafe
https://ncus.contentsync.0%URL Reputationsafe
https://augloop.office.comLinkRequestApiPageTitleRetrievalhttps://uci.0%Avira URL Cloudsafe
https://substrate.office.comK0%Avira URL Cloudsafe
https://substrate.office.comP0%Avira URL Cloudsafe
https://api.aadrm.com/=:sh?0%Avira URL Cloudsafe
https://devnull.onenote.comMBI_SSL_SHORT0%Avira URL Cloudsafe
https://substrate.office.comW0%Avira URL Cloudsafe
https://wus2.contentsync.0%URL Reputationsafe
https://onedrive.live.comed0%Avira URL Cloudsafe
http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
https://lifecycle.office.comMBI_SSL_SHORThttps://lifecycle.office.comco80%Avira URL Cloudsafe
http://www.typography.netD0%URL Reputationsafe
http://fontfabrik.com0%URL Reputationsafe
https://shell.suite.office.com:1443J0%Avira URL Cloudsafe
https://outlook.office.comY0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
https://shell.suite.office.com:1443EXCEL.EXE, 00000000.00000003.461900280.000000000F9BB000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drfalse
    		high
    https://autodiscover-s.outlook.com/EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.461877346.000000000F9AC000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drfalse
      		high
      https://o365auditrealtimeingestion.manage.office.comBearerEXCEL.EXE, 00000000.00000003.248626435.000000000F9D7000.00000004.00000001.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrEXCEL.EXE, 00000000.00000003.461787756.000000000F913000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.531814224.000000000D986000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drfalse
        		high
        https://clients.config.office.net/user/v1.0/tenantassociationkeyhttps://login.windows.net/common/oauEXCEL.EXE, 00000000.00000003.248650939.000000000F9B1000.00000004.00000001.sdmpfalse
          		high
          https://cdn.entity.1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drfalse
          • URL Reputation: safe
          		unknown
          https://cortana.ai/apihttps://login.windows.net/common/oauth2/authorizeEXCEL.EXE, 00000000.00000003.248638674.0000000012291000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://127.0.0.1http://EXCEL.EXEfalse
          • Avira URL Cloud: safe
          		low
          https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drfalse
            		high
            https://rpsticket.partnerservices.getmicrosoftkey.comEXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drfalse
            • URL Reputation: safe
            		unknown
            https://lookup.onenote.com/lookup/geolocation/v1EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drfalse
              		high
              http://www.fontbureau.com/designersEXCEL.EXE, 00000000.00000002.533617598.000000000FB36000.00000002.00000001.sdmpfalse
                		high
                https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileEXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.461900280.000000000F9BB000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drfalse
                  		high
                  https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicyEXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.461900280.000000000F9BB000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drfalse
                    		high
                    https://cloudfiles.onenote.com/upload.aspxOneNoteCloudFilesConsumerEmbedhttps://onedrive.live.com/emEXCEL.EXE, 00000000.00000003.248626435.000000000F9D7000.00000004.00000001.sdmpfalse
                      		high
                      https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrMBI_SSL_SHORTssl.EXCEL.EXE, 00000000.00000003.248650939.000000000F9B1000.00000004.00000001.sdmpfalse
                        		high
                        https://api.aadrm.com/EXCEL.EXE, 00000000.00000002.531814224.000000000D986000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248793939.000000000F9AC000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesEXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drfalse
                          		high
                          https://api.microsoftstream.com/api/EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drfalse
                            		high
                            https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=ImmersiveEXCEL.EXE, 00000000.00000002.531814224.000000000D986000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drfalse
                              		high
                              https://store.officeppe.com/addinstemplateVaDeepLinkingTemplateshttps://omextemplates.content.officeEXCEL.EXE, 00000000.00000003.248626435.000000000F9D7000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://cr.office.comEXCEL.EXE, 00000000.00000003.461955622.000000000F9E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drfalse
                                		high
                                http://www.galapagosdesign.com/DPleaseEXCEL.EXE, 00000000.00000002.533617598.000000000FB36000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://login.windows.net/common/oauth2/authorize/?4jEXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.zhongyicts.com.cnEXCEL.EXE, 00000000.00000002.533617598.000000000FB36000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://res.getmicrosoftkey.com/api/redemptioneventsEXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-androidUserVoiceOfEXCEL.EXE, 00000000.00000003.248626435.000000000F9D7000.00000004.00000001.sdmpfalse
                                    		high
                                    https://tasks.office.comEXCEL.EXE, 00000000.00000003.461900280.000000000F9BB000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drfalse
                                      		high
                                      https://officeci.azurewebsites.net/api/EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://store.office.cn/addinstemplateEXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://onedrive.live.com/embed?fEXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpfalse
                                        		high
                                        https://substrate.office.comrlxEXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://cortana.ailEXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://login.windows.net/common/oauth2/authorizeMBI_SSL_SHORTEXCEL.EXE, 00000000.00000003.248638674.0000000012291000.00000004.00000001.sdmpfalse
                                          		high
                                          https://graph.windows.netZEXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechEXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drfalse
                                            		high
                                            https://www.odwebp.svc.msEXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://login.windows-ppe.net/common/oauth2/authorizeesEXCEL.EXE, 00000000.00000003.248626435.000000000F9D7000.00000004.00000001.sdmpfalse
                                              		high
                                              https://api.cortana.aipEXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://api.powerbi.com/v1.0/myorg/groupsEXCEL.EXE, 00000000.00000002.535442384.0000000012290000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drfalse
                                                		high
                                                https://web.microsoftstream.com/video/EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drfalse
                                                  		high
                                                  https://graph.windows.netEXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drfalse
                                                    		high
                                                    http://www.carterandcone.comlEXCEL.EXE, 00000000.00000002.533617598.000000000FB36000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://api.onedrive.comMBIEXCEL.EXE, 00000000.00000003.248650939.000000000F9B1000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonMBI_SSLpeople.directory.EXCEL.EXE, 00000000.00000003.248650939.000000000F9B1000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonEXCEL.EXE, 00000000.00000003.461787756.000000000F913000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drfalse
                                                        		high
                                                        https://ncus.contentsync.EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248626435.000000000F9D7000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://augloop.office.comLinkRequestApiPageTitleRetrievalhttps://uci.EXCEL.EXE, 00000000.00000003.248638674.0000000012291000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://substrate.office.comKEXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drfalse
                                                          		high
                                                          http://weather.service.msn.com/data.aspxEXCEL.EXE, 00000000.00000002.535442384.0000000012290000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drfalse
                                                            		high
                                                            https://substrate.office.comPEXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://word.uservoice.com/forums/304948-word-for-ipad-iphone-iosEXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drfalse
                                                              		high
                                                              https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlEXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drfalse
                                                                		high
                                                                https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2AzurEXCEL.EXE, 00000000.00000003.248626435.000000000F9D7000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  https://api.aadrm.com/=:sh?EXCEL.EXE, 00000000.00000003.461955622.000000000F9E6000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://devnull.onenote.comMBI_SSL_SHORTEXCEL.EXE, 00000000.00000003.248626435.000000000F9D7000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		low
                                                                  https://substrate.office.comWEXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://login.windows.net/common/oauth2/authorizeaEXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    https://login.windows.net/common/oauth2/authorizebEXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      https://login.windows.net/common/oauth2/authorizecEXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        https://wus2.contentsync.EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248626435.000000000F9D7000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://login.windows.net/common/oauth2/authorizedEXCEL.EXE, 00000000.00000003.461787756.000000000F913000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          https://onedrive.live.comedEXCEL.EXE, 00000000.00000003.461787756.000000000F913000.00000004.00000001.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://www.founder.com.cn/cn/bTheEXCEL.EXE, 00000000.00000002.533617598.000000000FB36000.00000002.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://clients.config.office.net/user/v1.0/ios1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drfalse
                                                                            		high
                                                                            https://login.windows.net/common/oauth2/authorizegEXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              https://substrate.office.com/Todo-Internal.ReadWritefEXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                https://login.windows.net/common/oauth2/authorizeo:EXCEL.EXE, 00000000.00000003.248626435.000000000F9D7000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  https://o365auditrealtimeingestion.manage.office.comEXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drfalse
                                                                                    		high
                                                                                    https://outlook.office365.com/api/v1.0/me/ActivitiesEXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drfalse
                                                                                      		high
                                                                                      https://login.windows.net/common/oauth2/authorizePEXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        https://clients.config.office.net/user/v1.0/android/policies1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drfalse
                                                                                          		high
                                                                                          https://login.windows.net/common/oauth2/authorizeREXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpfalse
                                                                                            		high
                                                                                            https://analysis.windows.net/powerbi/apiOEXCEL.EXE, 00000000.00000002.535442384.0000000012290000.00000004.00000001.sdmpfalse
                                                                                              		high
                                                                                              https://login.windows.net/common/oauth2/authorizeSEXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpfalse
                                                                                                		high
                                                                                                https://clients.config.office.net/user/v1.0/android/policieshttps://login.windows.net/common/oauth2/EXCEL.EXE, 00000000.00000003.248650939.000000000F9B1000.00000004.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  https://sr.outlook.office.net/ws/speech/recognize/assistant/workhttps://login.windows.net/common/oauEXCEL.EXE, 00000000.00000003.248638674.0000000012291000.00000004.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    https://entitlement.diagnostics.office.comEXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.461900280.000000000F9BB000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drfalse
                                                                                                      		high
                                                                                                      https://login.windows.net/common/oauth2/authorize$;9nHEXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        https://login.windows.net/common/oauth2/authorizeVEXCEL.EXE, 00000000.00000003.461787756.000000000F913000.00000004.00000001.sdmpfalse
                                                                                                          		high
                                                                                                          https://login.windows.net/common/oauth2/authorizeWEXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpfalse
                                                                                                            		high
                                                                                                            https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.jsonEXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drfalse
                                                                                                              		high
                                                                                                              https://outlook.office.com/EXCEL.EXE, 00000000.00000003.248576275.00000000122A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.461877346.000000000F9AC000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drfalse
                                                                                                                		high
                                                                                                                https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeechBearerEXCEL.EXE, 00000000.00000003.248626435.000000000F9D7000.00000004.00000001.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechhEXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://lifecycle.office.comMBI_SSL_SHORThttps://lifecycle.office.comco8EXCEL.EXE, 00000000.00000003.248626435.000000000F9D7000.00000004.00000001.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		low
                                                                                                                    https://storage.live.com/clientlogs/uploadlocationEXCEL.EXE, 00000000.00000002.531814224.000000000D986000.00000004.00000001.sdmp, 1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72.0.drfalse
                                                                                                                      		high
                                                                                                                      https://login.windows.net/common/oauth2/authorizeNEXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.248591724.00000000122E1000.00000004.00000001.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://sr.outlook.office.net/ws/speech/recognize/assistant/workVEXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://www.typography.netDEXCEL.EXE, 00000000.00000002.533617598.000000000FB36000.00000002.00000001.sdmpfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          		unknown
                                                                                                                          https://login.windows.net/common/oauth2/authorizeAEXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://fontfabrik.comEXCEL.EXE, 00000000.00000002.533617598.000000000FB36000.00000002.00000001.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            https://clients.config.office.net/user/v1.0/tenantassociationkeyodyEXCEL.EXE, 00000000.00000003.461787756.000000000F913000.00000004.00000001.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDriveIEXCEL.EXE, 00000000.00000002.533099894.000000000F810000.00000004.00000001.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://login.windows.net/common/oauth2/authorizeCEXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://login.windows.net/common/oauth2/authorizeGEXCEL.EXE, 00000000.00000003.461787756.000000000F913000.00000004.00000001.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://login.windows.net/common/oauth2/authorize8=%h$EXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://shell.suite.office.com:1443JEXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpfalse
                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                      		low
                                                                                                                                      https://outlook.office.comYEXCEL.EXE, 00000000.00000002.535589863.00000000122E0000.00000004.00000001.sdmpfalse
                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                      		unknown

                                                                                                                                      Contacted IPs

                                                                                                                                      No contacted IP infos

                                                                                                                                      General Information

                                                                                                                                      Joe Sandbox Version:33.0.0 White Diamond
                                                                                                                                      Analysis ID:465987
                                                                                                                                      Start date:16.08.2021
                                                                                                                                      Start time:15:57:41
                                                                                                                                      Joe Sandbox Product:CloudBasic
                                                                                                                                      Overall analysis duration:0h 6m 9s
                                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                                      Report type:light
                                                                                                                                      Sample file name:EXCEL.EXE
                                                                                                                                      Cookbook file name:default.jbs
                                                                                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                      Number of analysed new started processes analysed:23
                                                                                                                                      Number of new started drivers analysed:0
                                                                                                                                      Number of existing processes analysed:0
                                                                                                                                      Number of existing drivers analysed:0
                                                                                                                                      Number of injected processes analysed:0
                                                                                                                                      Technologies:
                                                                                                                                      • HCA enabled
                                                                                                                                      • EGA enabled
                                                                                                                                      • HDC enabled
                                                                                                                                      • AMSI enabled
                                                                                                                                      Analysis Mode:default
                                                                                                                                      Analysis stop reason:Timeout
                                                                                                                                      Detection:CLEAN
                                                                                                                                      Classification:clean3.winEXE@1/1@0/0
                                                                                                                                      EGA Information:Failed
                                                                                                                                      HDC Information:Failed
                                                                                                                                      HCA Information:Failed
                                                                                                                                      Cookbook Comments:
                                                                                                                                      • Adjust boot time
                                                                                                                                      • Enable AMSI
                                                                                                                                      • Found application associated with file extension: .EXE
                                                                                                                                      Warnings:
                                                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                                                                      • Excluded IPs from analysis (whitelisted): 13.89.179.12, 131.253.33.200, 13.107.22.200, 104.208.16.94, 23.211.6.115, 52.109.32.63, 52.109.12.24, 52.109.88.39, 23.211.4.86, 51.103.5.186, 20.82.209.183, 40.112.88.60, 20.42.73.29, 20.82.210.154, 80.67.82.235, 80.67.82.211, 20.54.110.249
                                                                                                                                      • Excluded domains from analysis (whitelisted): prod-w.nexus.live.com.akadns.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, www-bing-com.dual-a-0001.a-msedge.net, onedsblobprdeus15.eastus.cloudapp.azure.com, nexus.officeapps.live.com, arc.trafficmanager.net, officeclient.microsoft.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, onedsblobprdcus16.centralus.cloudapp.azure.com, www.bing.com, client.wns.windows.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, prod.configsvc1.live.com.akadns.net, ris-prod.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, europe.configsvc1.live.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                      • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                      Simulations

                                                                                                                                      TimeTypeDescription
                                                                                                                                      15:58:41API Interceptor17543x Sleep call for process: EXCEL.EXE modified

                                                                                                                                      Joe Sandbox View / Context

                                                                                                                                      IPs

                                                                                                                                      No context

                                                                                                                                      Domains

                                                                                                                                      No context

                                                                                                                                      ASN

                                                                                                                                      No context

                                                                                                                                      JA3 Fingerprints

                                                                                                                                      No context

                                                                                                                                      Dropped Files

                                                                                                                                      No context

                                                                                                                                      Created / dropped Files

                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\1675E7F2-B5DD-45ED-80AE-28EBDC2B6A72
                                                                                                                                      Process:C:\Users\user\Desktop\EXCEL.EXE
                                                                                                                                      File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):135913
                                                                                                                                      Entropy (8bit):5.362411094968542
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:1536:mcQIKNveBTA3gBwlnQ9DQW+z2Y34ZliKWXboOidXqE6LWME9:NyQ9DQW+zaX31
                                                                                                                                      MD5:617609AFE615B94CBCA389D454117F5D
                                                                                                                                      SHA1:0677EFD7DB9D83356DE0E0551941A2EC493748AF
                                                                                                                                      SHA-256:3D2CDB3F91A7D62491A240F9461579F68409CDD9AC1CE8A289BAE4163669AC7D
                                                                                                                                      SHA-512:CC8E6EACBB3674CFCD2BBC79A5DDC768A9C2BAA62CC1264D7374C6E279D7E28E69F85F0D1F177858E1ADB58C63623307A5905978C44C521B398FD458CDEF4FD9
                                                                                                                                      Malicious:false
                                                                                                                                      Reputation:low
                                                                                                                                      Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-08-16T13:58:41">.. Build: 16.0.14408.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

                                                                                                                                      Static File Info

                                                                                                                                      General

                                                                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                      Entropy (8bit):6.3094235371817025
                                                                                                                                      TrID:
                                                                                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                      File name:EXCEL.EXE
                                                                                                                                      File size:27126608
                                                                                                                                      MD5:496679cae38de68d86b4ae99d7126414
                                                                                                                                      SHA1:6fd1b77e69024637030f59405c7a159840eb5fcf
                                                                                                                                      SHA256:46554daf7a4a6082bb1faf1ff143c60c4f6701279c47e4563a6a2a53f0b5b5e0
                                                                                                                                      SHA512:c4c6a92249979cc9f8756a4a2d9fb2980e03e026cd195200f6e9fec1fda6d582707287e7977dc56c3beb1fa5295548b9ed1d174f22c8bd0364e0e7b215f13335
                                                                                                                                      SSDEEP:786432:5kvkVUJ4akhvzPp0u1crqUGoIFwZ24VsQDdVWk:usVUJFkLr1crqUGoIFM2RQDdVF
                                                                                                                                      File Content Preview:MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$.........'IQ.I.Q.I.Q.I...H.S.I...M.S.I.....P.I.....P.I.....W.I.....G.I.X...G.I...H.T.I.Q.H...I...J.A.I...L.N.I...M.Z.I.q.L.T.I.q.M.R.I

                                                                                                                                      File Icon

                                                                                                                                      Icon Hash:b08e8a8c8c8a8430

                                                                                                                                      Static PE Info

                                                                                                                                      General

                                                                                                                                      Entrypoint:0x401000
                                                                                                                                      Entrypoint Section:.text
                                                                                                                                      Digitally signed:true
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      Subsystem:windows gui
                                                                                                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                                                      DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                                                      Time Stamp:0x60C931CF [Tue Jun 15 23:03:43 2021 UTC]
                                                                                                                                      TLS Callbacks:
                                                                                                                                      CLR (.Net) Version:
                                                                                                                                      OS Version Major:6
                                                                                                                                      OS Version Minor:0
                                                                                                                                      File Version Major:6
                                                                                                                                      File Version Minor:0
                                                                                                                                      Subsystem Version Major:6
                                                                                                                                      Subsystem Version Minor:0
                                                                                                                                      Import Hash:e6a1ebd212df65222111428ecacccceb

                                                                                                                                      Authenticode Signature

                                                                                                                                      Signature Valid:true
                                                                                                                                      Signature Issuer:CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                                                                                                                                      Signature Validation Error:The operation completed successfully
                                                                                                                                      Error Number:0
                                                                                                                                      Not Before, Not After
                                                                                                                                      • 12/15/2020 1:24:20 PM 12/2/2021 1:24:20 PM
                                                                                                                                      Subject Chain
                                                                                                                                      • CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                                                                                                                                      Version:3
                                                                                                                                      Thumbprint MD5:31F605F0D1D4BA54250DA5C719A8200C
                                                                                                                                      Thumbprint SHA-1:E8C15B4C98AD91E051EE5AF5F524A8729050B2A2
                                                                                                                                      Thumbprint SHA-256:22A3C23E08C7DBB4E7F4591E58C04285C0514C2894E3C418AD157D817D7EDF3C
                                                                                                                                      Serial:33000003DE8D56825AF1A4A9670000000003DE
                                                                                                                                      Instruction
                                                                                                                                      call 00007F6CA88D04AAh
                                                                                                                                      jmp 00007F6CA88D0566h
                                                                                                                                      push ebp
                                                                                                                                      mov ebp, esp
                                                                                                                                      sub esp, 14h
                                                                                                                                      xor eax, eax
                                                                                                                                      push ebx
                                                                                                                                      mov ebx, BB40E64Eh
                                                                                                                                      cmp dword ptr [016936DCh], eax
                                                                                                                                      je 00007F6CA88D04AEh
                                                                                                                                      cmp dword ptr [016936DCh], ebx
                                                                                                                                      jne 00007F6CA88D053Ah
                                                                                                                                      push edi
                                                                                                                                      push eax
                                                                                                                                      push eax
                                                                                                                                      push 00000001h
                                                                                                                                      call dword ptr [016914C8h]
                                                                                                                                      push eax
                                                                                                                                      call dword ptr [016915E4h]
                                                                                                                                      lea eax, dword ptr [ebp-0Ch]
                                                                                                                                      push eax
                                                                                                                                      call dword ptr [016915F8h]
                                                                                                                                      mov edi, dword ptr [ebp-08h]
                                                                                                                                      xor edi, dword ptr [ebp-0Ch]
                                                                                                                                      call dword ptr [01691400h]
                                                                                                                                      xor edi, eax
                                                                                                                                      call dword ptr [016913CCh]
                                                                                                                                      xor edi, eax
                                                                                                                                      call dword ptr [01691418h]
                                                                                                                                      xor edi, eax
                                                                                                                                      lea eax, dword ptr [ebp-14h]
                                                                                                                                      push eax
                                                                                                                                      call dword ptr [0169138Ch]
                                                                                                                                      mov eax, dword ptr [ebp-10h]
                                                                                                                                      xor eax, dword ptr [ebp-14h]
                                                                                                                                      xor edi, eax
                                                                                                                                      lea eax, dword ptr [ebp-04h]
                                                                                                                                      push eax
                                                                                                                                      push 00000040h
                                                                                                                                      push 00000004h
                                                                                                                                      push 016936DCh
                                                                                                                                      call dword ptr [016915BCh]
                                                                                                                                      lea eax, dword ptr [ebp-04h]
                                                                                                                                      test edi, edi
                                                                                                                                      push eax
                                                                                                                                      push dword ptr [ebp-04h]
                                                                                                                                      cmovne ebx, edi
                                                                                                                                      mov edi, 016936DCh
                                                                                                                                      push 00000004h
                                                                                                                                      push edi
                                                                                                                                      mov dword ptr [016936DCh], ebx
                                                                                                                                      call dword ptr [016915BCh]
                                                                                                                                      push 00000004h
                                                                                                                                      push edi
                                                                                                                                      call 00007F6CA88D04B7h
                                                                                                                                      mov eax, dword ptr [016936DCh]
                                                                                                                                      not eax
                                                                                                                                      mov dword ptr [01869984h], eax
                                                                                                                                      pop edi
                                                                                                                                      pop ebx
                                                                                                                                      mov esp, ebp
                                                                                                                                      pop ebp
                                                                                                                                      ret
                                                                                                                                      jmp dword ptr [000000B8h]
                                                                                                                                      Programming Language:
                                                                                                                                      • [ C ] VS2015 build 23026
                                                                                                                                      • [IMP] VS2008 SP1 build 30729
                                                                                                                                      • [IMP] VS2015 build 23026
                                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x1457c380x136.rdata
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x14602ac0x154.rdata
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x154e0000x3f4d68.rsrc
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x19da6000x4550.reloc
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x19430000x9d840.reloc
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x1290ccc0x54.text
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x14107cc0x18.rdata
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x12949a80x40.rdata
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x12910000x254c.rdata
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x1457d700x3e0.rdata
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                      Sections

                                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                      .text0x10000x128fe3c0x1290000unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                      .rdata0x12910000x1d41ec0x1d4200False0.326341893358data4.88104286529IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                      .data0x14660000xe63800xe3600False0.112755119571data1.70503835863IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                      .tls0x154d0000x110x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                      .rsrc0x154e0000x3f4d680x3f4e00unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                      .reloc0x19430000x9d8400x9da00False0.600848470956data6.69227404915IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                      NameRVASizeTypeLanguageCountry
                                                                                                                                      TYPELIB0x18098f80xf3508dataEnglishUnited States
                                                                                                                                      UIFILE0x19396e80x6128dataEnglishUnited States
                                                                                                                                      UIFILE0x193f8100x1825dataEnglishUnited States
                                                                                                                                      UIFILE0x19410380x1a82dataEnglishUnited States
                                                                                                                                      UIFILE0x1942ac00x2a1dataEnglishUnited States
                                                                                                                                      UIFILE0x18fce500x24a26dataEnglishUnited States
                                                                                                                                      UIFILE0x192abc80xeb1bdataEnglishUnited States
                                                                                                                                      UIFILE0x192a9680x59dataEnglishUnited States
                                                                                                                                      UIFILE0x192a9c80x118dataEnglishUnited States
                                                                                                                                      UIFILE0x192aae00x95dataEnglishUnited States
                                                                                                                                      UIFILE0x19218780x90eedataEnglishUnited States
                                                                                                                                      UIFILE0x192ab780x4fdataEnglishUnited States
                                                                                                                                      RT_CURSOR0x15a5fb80x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17ef2f80x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17ef4300x334dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17ef7680x434dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17efbd00x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17efd200x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17efe580x334dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f01900x434dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f05f80x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f07300x334dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f0a680x434dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f0ed00x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f10080x334dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f13400x434dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f17a80x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f18f80x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f1a480x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f1b800x434dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f1fe00x134AmigaOS bitmap fontEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f21300x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f22800x134Hitachi SH big-endian COFF object file, not stripped, 1280 sections, symbol offset=0x20000000, 1073741824 symbols, optional header size 256EnglishUnited States
                                                                                                                                      RT_CURSOR0x17f23d00x134Hitachi SH big-endian COFF object file, not stripped, 0 section, symbol offset=0x20000000, 1073741824 symbols, optional header size 256EnglishUnited States
                                                                                                                                      RT_CURSOR0x17f25200x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f26700x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f27c00x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f29100x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f2a600x134Hitachi SH big-endian COFF object file, not stripped, 2304 sections, symbol offset=0x20000000, 1073741824 symbols, optional header size 256EnglishUnited States
                                                                                                                                      RT_CURSOR0x17f2bb00x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f2d000x134Hitachi SH big-endian COFF object file, not stripped, 2304 sections, symbol offset=0x20000000, 1073741824 symbols, optional header size 256EnglishUnited States
                                                                                                                                      RT_CURSOR0x17f2e500x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f2fa00x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f30f00x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f32400x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f33900x134AmigaOS bitmap fontEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f34e00x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f36300x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f37680x334dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f3aa00x434dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f3f080x134AmigaOS bitmap fontEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f40400x334dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f43780x434dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f47e00x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f49300x2ecdataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f4c380x2ecdataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f4f400x2ecdataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f52480x2ecdataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f55500x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f56a00x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f57f00x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f59400x134AmigaOS bitmap fontEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f5a780x434dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f5ed80x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f60100x434dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f64700x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f65a80x434dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f6a080x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f6b400x434dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f6fa00x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f70d80x434dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f75380x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f76700x434dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f7ad00x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f7c080x434dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f80680x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f81a00x434dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f86000x134AmigaOS bitmap fontEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f87500x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f88880x334dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f8bc00x434dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f90280x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f91600x334dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f94980x434dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f99000x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f9a380x334dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17f9d700x434dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17fa1d80x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17fa3280x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17fa4780x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17fa5c80x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17fa7180x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17fa8680x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17fa9b80x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17fab080x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17fac580x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17fada80x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17faef80x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17fb0480x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17fb1980x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17fb2e80x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17fb4380x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17fb5880x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17fb6d80x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17fb8280x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17fb9780x134AmigaOS bitmap fontEnglishUnited States
                                                                                                                                      RT_CURSOR0x17fbac80x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17fbc180x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17fbd680x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17fbea00x334dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17fc1d80x434dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17fc6400x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17fc7780x434dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17fcbd80x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17fcd100x434dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17fd1700x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17fd2c00x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17fd4100x2ecdataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17fd7180x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17fd8680x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17fd9b80x2ecdataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17fdcc00x2ecdataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17fdfc80x2ecdataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17fe2d00x2ecdataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17fe5d80x2ecdataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17fe8e00x2ecdataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17febe80x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17fed380x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17fee880x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17fefd80x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17ff1280x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17ff2780x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17ff3c80x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17ff5180x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17ff6680x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17ff7b80x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17ff9080x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17ffa580x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17ffba80x134dataEnglishUnited States
                                                                                                                                      RT_CURSOR0x17ffcf80x134dataEnglishUnited States
                                                                                                                                      RT_ICON0x15561e00x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 4294913830, next used block 553648127EnglishUnited States
                                                                                                                                      RT_ICON0x15564c80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                      RT_ICON0x15565f00x1628dBase IV DBT of \200.DBF, blocks size 0, block length 4096, next free block index 40, next free block 16908803, next used block 16843009EnglishUnited States
                                                                                                                                      RT_ICON0x1557c180xea8dataEnglishUnited States
                                                                                                                                      RT_ICON0x1558ac00x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                                                                                                      RT_ICON0x15593680x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                      RT_ICON0x15598d00xfc4PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                                                                                                                                      RT_ICON0x155a8980x94a8dataEnglishUnited States
                                                                                                                                      RT_ICON0x1563d400x67e8dataEnglishUnited States
                                                                                                                                      RT_ICON0x156a5280x5488dataEnglishUnited States
                                                                                                                                      RT_ICON0x156f9b00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4278190079, next used block 4294967047EnglishUnited States
                                                                                                                                      RT_ICON0x1573bd80x3a48dataEnglishUnited States
                                                                                                                                      RT_ICON0x15776200x25a8dataEnglishUnited States
                                                                                                                                      RT_ICON0x1579bc80x1a68dataEnglishUnited States
                                                                                                                                      RT_ICON0x157b6300x10a8dataEnglishUnited States
                                                                                                                                      RT_ICON0x157c6d80x988dataEnglishUnited States
                                                                                                                                      RT_ICON0x157d0600x6b8dataEnglishUnited States
                                                                                                                                      RT_ICON0x157d7180x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                      RT_ICON0x157dc880x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 4279205751, next used block 240EnglishUnited States
                                                                                                                                      RT_ICON0x157df700x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                      RT_ICON0x157e0980x2ca8dBase IV DBT of \300.DBF, block length 9216, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                                                                                                      RT_ICON0x1580d400x1bc8dataEnglishUnited States
                                                                                                                                      RT_ICON0x15829080x1628dBase IV DBT of \200.DBF, blocks size 0, block length 4096, next free block index 40, next free block 251657996, next used block 235802126EnglishUnited States
                                                                                                                                      RT_ICON0x1583f300x1418dataEnglishUnited States
                                                                                                                                      RT_ICON0x15853480xea8dataEnglishUnited States
                                                                                                                                      RT_ICON0x15861f00xba8dataEnglishUnited States
                                                                                                                                      RT_ICON0x1586d980x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                                                                                                      RT_ICON0x15876400x6c8dataEnglishUnited States
                                                                                                                                      RT_ICON0x1587d080x608dataEnglishUnited States
                                                                                                                                      RT_ICON0x15883100x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                      RT_ICON0x15888780xaf7PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                                                                                                                                      RT_ICON0x15893700x94a8dataEnglishUnited States
                                                                                                                                      RT_ICON0x15928180x5488dataEnglishUnited States
                                                                                                                                      RT_ICON0x1597ca00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 49407, next used block 4294909696EnglishUnited States
                                                                                                                                      RT_ICON0x159bec80x3a48dataEnglishUnited States
                                                                                                                                      RT_ICON0x159f9100x25a8dataEnglishUnited States
                                                                                                                                      RT_ICON0x15a1eb80x1a68dataEnglishUnited States
                                                                                                                                      RT_ICON0x15a39200x10a8dataEnglishUnited States
                                                                                                                                      RT_ICON0x15a49c80x988dataEnglishUnited States
                                                                                                                                      RT_ICON0x15a53500x6b8dataEnglishUnited States
                                                                                                                                      RT_ICON0x15a5a080x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                      RT_ICON0x15ab8000x130dataEnglishUnited States
                                                                                                                                      RT_ICON0x15ab9300x2e8dataEnglishUnited States
                                                                                                                                      RT_ICON0x15abc400x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 4279238655, next used block 240EnglishUnited States
                                                                                                                                      RT_ICON0x15abf280x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                      RT_ICON0x15ac0500x2ca8dBase IV DBT of \300.DBF, block length 9216, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                                                                                                      RT_ICON0x15aecf80x1bc8dataEnglishUnited States
                                                                                                                                      RT_ICON0x15b08c00x1628dBase IV DBT of \200.DBF, blocks size 0, block length 4096, next free block index 40, next free block 4294967295, next used block 4294967295EnglishUnited States
                                                                                                                                      RT_ICON0x15b1ee80x1418dataEnglishUnited States
                                                                                                                                      RT_ICON0x15b33000xea8dataEnglishUnited States
                                                                                                                                      RT_ICON0x15b41a80xba8dataEnglishUnited States
                                                                                                                                      RT_ICON0x15b4d500x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                                                                                                      RT_ICON0x15b55f80x6c8dataEnglishUnited States
                                                                                                                                      RT_ICON0x15b5cc00x608dataEnglishUnited States
                                                                                                                                      RT_ICON0x15b62c80x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                      RT_ICON0x15b68300xd88PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                                                                                                                                      RT_ICON0x15b75b80x94a8dataEnglishUnited States
                                                                                                                                      RT_ICON0x15c0a600x5488dataEnglishUnited States
                                                                                                                                      RT_ICON0x15c5ee80x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 49407, next used block 4294909696EnglishUnited States
                                                                                                                                      RT_ICON0x15ca1100x3a48dataEnglishUnited States
                                                                                                                                      RT_ICON0x15cdb580x25a8dataEnglishUnited States
                                                                                                                                      RT_ICON0x15d01000x1a68dataEnglishUnited States
                                                                                                                                      RT_ICON0x15d1b680x10a8dataEnglishUnited States
                                                                                                                                      RT_ICON0x15d2c100x988dataEnglishUnited States
                                                                                                                                      RT_ICON0x15d35980x6b8dataEnglishUnited States
                                                                                                                                      RT_ICON0x15d3c500x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                      RT_ICON0x15d42000x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 2004318071, next used block 61559EnglishUnited States
                                                                                                                                      RT_ICON0x15d44e80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                      RT_ICON0x15d46100x2ca8dBase IV DBT of \300.DBF, block length 9216, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                                                                                                      RT_ICON0x15d72b80x1bc8dataEnglishUnited States
                                                                                                                                      RT_ICON0x15d8e800x1628dBase IV DBT of \200.DBF, blocks size 0, block length 4096, next free block index 40, next free block 4294967295, next used block 4294967295EnglishUnited States
                                                                                                                                      RT_ICON0x15da4a80x1418dataEnglishUnited States
                                                                                                                                      RT_ICON0x15db8c00xea8dataEnglishUnited States
                                                                                                                                      RT_ICON0x15dc7680xba8dataEnglishUnited States
                                                                                                                                      RT_ICON0x15dd3100x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                                                                                                      RT_ICON0x15ddbb80x6c8dataEnglishUnited States
                                                                                                                                      RT_ICON0x15de2800x608dataEnglishUnited States
                                                                                                                                      RT_ICON0x15de8880x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                      RT_ICON0x15dedf00xa4cPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                                                                                                                                      RT_ICON0x15df8400x94a8dataEnglishUnited States
                                                                                                                                      RT_ICON0x15e8ce80x5488dataEnglishUnited States
                                                                                                                                      RT_ICON0x15ee1700x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 49407, next used block 4278648832EnglishUnited States
                                                                                                                                      RT_ICON0x15f23980x3a48dataEnglishUnited States
                                                                                                                                      RT_ICON0x15f5de00x25a8dataEnglishUnited States
                                                                                                                                      RT_ICON0x15f83880x1a68dataEnglishUnited States
                                                                                                                                      RT_ICON0x15f9df00x10a8dataEnglishUnited States
                                                                                                                                      RT_ICON0x15fae980x988dataEnglishUnited States
                                                                                                                                      RT_ICON0x15fb8200x6b8dataEnglishUnited States
                                                                                                                                      RT_ICON0x15fbed80x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                      RT_ICON0x15fc4880x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 2004318071, next used block 0EnglishUnited States
                                                                                                                                      RT_ICON0x15fc7700x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                      RT_ICON0x15fc8980x2ca8dBase IV DBT of \300.DBF, block length 9216, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                                                                                                      RT_ICON0x15ff5400x1bc8dataEnglishUnited States
                                                                                                                                      RT_ICON0x16011080x1628dBase IV DBT of \200.DBF, blocks size 0, block length 4096, next free block index 40, next free block 16975627, next used block 4294967295EnglishUnited States
                                                                                                                                      RT_ICON0x16027300x1418dataEnglishUnited States
                                                                                                                                      RT_ICON0x1603b480xea8dataEnglishUnited States
                                                                                                                                      RT_ICON0x16049f00xba8dataEnglishUnited States
                                                                                                                                      RT_ICON0x16055980x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                                                                                                      RT_ICON0x1605e400x6c8dataEnglishUnited States
                                                                                                                                      RT_ICON0x16065080x608dataEnglishUnited States
                                                                                                                                      RT_ICON0x1606b100x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                      RT_ICON0x16070780x892PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                                                                                                                                      RT_ICON0x16079100x94a8dataEnglishUnited States
                                                                                                                                      RT_ICON0x1610db80x5488dataEnglishUnited States
                                                                                                                                      RT_ICON0x16162400x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295EnglishUnited States
                                                                                                                                      RT_ICON0x161a4680x3a48dataEnglishUnited States
                                                                                                                                      RT_ICON0x161deb00x25a8dataEnglishUnited States
                                                                                                                                      RT_ICON0x16204580x1a68dataEnglishUnited States
                                                                                                                                      RT_ICON0x1621ec00x10a8dataEnglishUnited States
                                                                                                                                      RT_ICON0x1622f680x988dataEnglishUnited States
                                                                                                                                      RT_ICON0x16238f00x6b8dataEnglishUnited States
                                                                                                                                      RT_ICON0x1623fa80x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                      RT_ICON0x16245580x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 255, next used block 0EnglishUnited States
                                                                                                                                      RT_ICON0x16248400x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                      RT_ICON0x16249680x2ca8dBase IV DBT of \300.DBF, block length 9216, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                                                                                                      RT_ICON0x16276100x1bc8dataEnglishUnited States
                                                                                                                                      RT_ICON0x16291d80x1628dBase IV DBT of \200.DBF, blocks size 0, block length 4096, next free block index 40, next free block 4280163870, next used block 505290495EnglishUnited States
                                                                                                                                      RT_ICON0x162a8000x1418dataEnglishUnited States
                                                                                                                                      RT_ICON0x162bc180xea8dataEnglishUnited States
                                                                                                                                      RT_ICON0x162cac00xba8dataEnglishUnited States
                                                                                                                                      RT_ICON0x162d6680x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                                                                                                      RT_ICON0x162df100x6c8dataEnglishUnited States
                                                                                                                                      RT_ICON0x162e5d80x608dataEnglishUnited States
                                                                                                                                      RT_ICON0x162ebe00x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                      RT_ICON0x162f1480xd10PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                                                                                                                                      RT_ICON0x162fe580x94a8dataEnglishUnited States
                                                                                                                                      RT_ICON0x16393000x5488dataEnglishUnited States
                                                                                                                                      RT_ICON0x163e7880x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 255, next used block 4286574847EnglishUnited States
                                                                                                                                      RT_ICON0x16429b00x3a48dataEnglishUnited States
                                                                                                                                      RT_ICON0x16463f80x25a8dataEnglishUnited States
                                                                                                                                      RT_ICON0x16489a00x1a68dataEnglishUnited States
                                                                                                                                      RT_ICON0x164a4080x10a8dataEnglishUnited States
                                                                                                                                      RT_ICON0x164b4b00x988dataEnglishUnited States
                                                                                                                                      RT_ICON0x164be380x6b8dataEnglishUnited States
                                                                                                                                      RT_ICON0x164c4f00x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                      RT_ICON0x164caa00x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 15794175, next used block 1886877559EnglishUnited States
                                                                                                                                      RT_ICON0x164cd880x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                      RT_ICON0x164ceb00x2ca8dBase IV DBT of \300.DBF, block length 9216, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                                                                                                      RT_ICON0x164fb580x1bc8dataEnglishUnited States
                                                                                                                                      RT_ICON0x16517200x1628dBase IV DBT of \200.DBF, blocks size 0, block length 4096, next free block index 40, next free block 16909578, next used block 4294967295EnglishUnited States
                                                                                                                                      RT_ICON0x1652d480x1418dataEnglishUnited States
                                                                                                                                      RT_ICON0x16541600xea8dataEnglishUnited States
                                                                                                                                      RT_ICON0x16550080xba8dataEnglishUnited States
                                                                                                                                      RT_ICON0x1655bb00x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                                                                                                      RT_ICON0x16564580x6c8dataEnglishUnited States
                                                                                                                                      RT_ICON0x1656b200x608dataEnglishUnited States
                                                                                                                                      RT_ICON0x16571280x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                      RT_ICON0x16576900x939PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                                                                                                                                      RT_ICON0x1657fd00x94a8dataEnglishUnited States
                                                                                                                                      RT_ICON0x16614780x5488dataEnglishUnited States
                                                                                                                                      RT_ICON0x16669000x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295EnglishUnited States
                                                                                                                                      RT_ICON0x166ab280x3a48dataEnglishUnited States
                                                                                                                                      RT_ICON0x166e5700x25a8dataEnglishUnited States
                                                                                                                                      RT_ICON0x1670b180x1a68dataEnglishUnited States
                                                                                                                                      RT_ICON0x16725800x10a8dataEnglishUnited States
                                                                                                                                      RT_ICON0x16736280x988dataEnglishUnited States
                                                                                                                                      RT_ICON0x1673fb00x6b8dataEnglishUnited States
                                                                                                                                      RT_ICON0x16746680x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                      RT_ICON0x1674c180x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 15794175, next used block 16776975EnglishUnited States
                                                                                                                                      RT_ICON0x1674f000x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                      RT_ICON0x16750280x2ca8dBase IV DBT of \300.DBF, block length 9216, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                                                                                                      RT_ICON0x1677cd00x1bc8dataEnglishUnited States
                                                                                                                                      RT_ICON0x16798980x1628dBase IV DBT of \200.DBF, blocks size 0, block length 4096, next free block index 40, next free block 16909578, next used block 4294967295EnglishUnited States
                                                                                                                                      RT_ICON0x167aec00x1418dataEnglishUnited States
                                                                                                                                      RT_ICON0x167c2d80xea8dataEnglishUnited States
                                                                                                                                      RT_ICON0x167d1800xba8dataEnglishUnited States
                                                                                                                                      RT_ICON0x167dd280x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                                                                                                      RT_ICON0x167e5d00x6c8dataEnglishUnited States
                                                                                                                                      RT_ICON0x167ec980x608dataEnglishUnited States
                                                                                                                                      RT_ICON0x167f2a00x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                      RT_ICON0x167f8080x94aPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                                                                                                                                      RT_ICON0x16801580x94a8dataEnglishUnited States
                                                                                                                                      RT_ICON0x16896000x5488dataEnglishUnited States
                                                                                                                                      RT_ICON0x168ea880x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295EnglishUnited States
                                                                                                                                      RT_ICON0x1692cb00x3a48dataEnglishUnited States
                                                                                                                                      RT_ICON0x16966f80x1a68dataEnglishUnited States
                                                                                                                                      RT_ICON0x16981600x10a8dataEnglishUnited States
                                                                                                                                      RT_ICON0x16992080x988dataEnglishUnited States
                                                                                                                                      RT_ICON0x1699b900x6b8dataEnglishUnited States
                                                                                                                                      RT_ICON0x169a2480x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                      RT_ICON0x169a7f00x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 4279238655, next used block 240EnglishUnited States
                                                                                                                                      RT_ICON0x169aad80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                      RT_ICON0x169ac000x2ca8dBase IV DBT of \300.DBF, block length 9216, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                                                                                                      RT_ICON0x169d8a80x1bc8dataEnglishUnited States
                                                                                                                                      RT_ICON0x169f4700x1628dBase IV DBT of \200.DBF, blocks size 0, block length 4096, next free block index 40, next free block 4294967295, next used block 4294967295EnglishUnited States
                                                                                                                                      RT_ICON0x16a0a980x1418dataEnglishUnited States
                                                                                                                                      RT_ICON0x16a1eb00xea8dataEnglishUnited States
                                                                                                                                      RT_ICON0x16a2d580xba8dataEnglishUnited States
                                                                                                                                      RT_ICON0x16a39000x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                                                                                                      RT_ICON0x16a41a80x6c8dataEnglishUnited States
                                                                                                                                      RT_ICON0x16a48700x608dataEnglishUnited States
                                                                                                                                      RT_ICON0x16a4e780x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                      RT_ICON0x16a53e00x104bPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                                                                                                                                      RT_ICON0x16a64300x94a8dataEnglishUnited States
                                                                                                                                      RT_ICON0x16af8d80x5488dataEnglishUnited States
                                                                                                                                      RT_ICON0x16b4d600x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 49407, next used block 4294909696EnglishUnited States
                                                                                                                                      RT_ICON0x16b8f880x3a48dataEnglishUnited States
                                                                                                                                      RT_ICON0x16bc9d00x25a8dataEnglishUnited States
                                                                                                                                      RT_ICON0x16bef780x1a68dataEnglishUnited States
                                                                                                                                      RT_ICON0x16c09e00x10a8dataEnglishUnited States
                                                                                                                                      RT_ICON0x16c1a880x988dataEnglishUnited States
                                                                                                                                      RT_ICON0x16c24100x6b8dataEnglishUnited States
                                                                                                                                      RT_ICON0x16c2ac80x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                      RT_ICON0x16c30780x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 4279238655, next used block 240EnglishUnited States
                                                                                                                                      RT_ICON0x16c33600x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                      RT_ICON0x16c34880x2ca8dBase IV DBT of \300.DBF, block length 9216, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                                                                                                      RT_ICON0x16c61300x1bc8dataEnglishUnited States
                                                                                                                                      RT_ICON0x16c7cf80x1628dBase IV DBT of \200.DBF, blocks size 0, block length 4096, next free block index 40, next free block 4294967295, next used block 4294967295EnglishUnited States
                                                                                                                                      RT_ICON0x16c93200x1418dataEnglishUnited States
                                                                                                                                      RT_ICON0x16ca7380xea8dataEnglishUnited States
                                                                                                                                      RT_ICON0x16cb5e00xba8dataEnglishUnited States
                                                                                                                                      RT_ICON0x16cc1880x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                                                                                                      RT_ICON0x16cca300x6c8dataEnglishUnited States
                                                                                                                                      RT_ICON0x16cd0f80x608dataEnglishUnited States
                                                                                                                                      RT_ICON0x16cd7000x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                      RT_ICON0x16cdc680x127bPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                                                                                                                                      RT_ICON0x16ceee80x94a8dataEnglishUnited States
                                                                                                                                      RT_ICON0x16d83900x5488dataEnglishUnited States
                                                                                                                                      RT_ICON0x16dd8180x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 49407, next used block 4294909696EnglishUnited States
                                                                                                                                      RT_ICON0x16e1a400x3a48dataEnglishUnited States
                                                                                                                                      RT_ICON0x16e54880x25a8dataEnglishUnited States
                                                                                                                                      RT_ICON0x16e7a300x1a68dataEnglishUnited States
                                                                                                                                      RT_ICON0x16e94980x10a8dataEnglishUnited States
                                                                                                                                      RT_ICON0x16ea5400x988dataEnglishUnited States
                                                                                                                                      RT_ICON0x16eaec80x6b8dataEnglishUnited States
                                                                                                                                      RT_ICON0x16eb5800x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                      RT_ICON0x16ebb300x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 4279238655, next used block 240EnglishUnited States
                                                                                                                                      RT_ICON0x16ebe180x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                      RT_ICON0x16ebf400x2ca8dBase IV DBT of \300.DBF, block length 9216, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                                                                                                      RT_ICON0x16eebe80x1bc8dataEnglishUnited States
                                                                                                                                      RT_ICON0x16f07b00x1628dBase IV DBT of \200.DBF, blocks size 0, block length 4096, next free block index 40, next free block 4294967295, next used block 4294967295EnglishUnited States
                                                                                                                                      RT_ICON0x16f1dd80x1418dataEnglishUnited States
                                                                                                                                      RT_ICON0x16f31f00xea8dataEnglishUnited States
                                                                                                                                      RT_ICON0x16f40980xba8dataEnglishUnited States
                                                                                                                                      RT_ICON0x16f4c400x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                                                                                                      RT_ICON0x16f54e80x6c8dataEnglishUnited States
                                                                                                                                      RT_ICON0x16f5bb00x608dataEnglishUnited States
                                                                                                                                      RT_ICON0x16f61b80x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                      RT_ICON0x16f67200x110aPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                                                                                                                                      RT_ICON0x16f78300x94a8dataEnglishUnited States
                                                                                                                                      RT_ICON0x1700cd80x5488dataEnglishUnited States
                                                                                                                                      RT_ICON0x17061600x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 49407, next used block 4294909696EnglishUnited States
                                                                                                                                      RT_ICON0x170a3880x3a48dataEnglishUnited States
                                                                                                                                      RT_ICON0x170ddd00x25a8dataEnglishUnited States
                                                                                                                                      RT_ICON0x17103780x1a68dataEnglishUnited States
                                                                                                                                      RT_ICON0x1711de00x10a8dataEnglishUnited States
                                                                                                                                      RT_ICON0x1712e880x988dataEnglishUnited States
                                                                                                                                      RT_ICON0x17138100x6b8dataEnglishUnited States
                                                                                                                                      RT_ICON0x1713ec80x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                      RT_ICON0x17144780x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 3435973836, next used block 2088553676EnglishUnited States
                                                                                                                                      RT_ICON0x17147600xea8dataEnglishUnited States
                                                                                                                                      RT_ICON0x17156080x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                      RT_ICON0x17157600x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 4294967295, next used block 63743EnglishUnited States
                                                                                                                                      RT_ICON0x1715a480x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                      RT_ICON0x1715b980x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 3435973836, next used block 1087163596EnglishUnited States
                                                                                                                                      RT_ICON0x1715e800x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                      RT_ICON0x1715fd00x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 4279238655, next used block 240EnglishUnited States
                                                                                                                                      RT_ICON0x17162b80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                      RT_ICON0x17163e00x2ca8dBase IV DBT of \300.DBF, block length 9216, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                                                                                                      RT_ICON0x17190880x1bc8dataEnglishUnited States
                                                                                                                                      RT_ICON0x171ac500x1628dBase IV DBT of \200.DBF, blocks size 0, block length 4096, next free block index 40, next free block 4294967295, next used block 4294967295EnglishUnited States
                                                                                                                                      RT_ICON0x171c2780x1418dataEnglishUnited States
                                                                                                                                      RT_ICON0x171d6900xea8dataEnglishUnited States
                                                                                                                                      RT_ICON0x171e5380xba8dataEnglishUnited States
                                                                                                                                      RT_ICON0x171f0e00x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                                                                                                      RT_ICON0x171f9880x6c8dataEnglishUnited States
                                                                                                                                      RT_ICON0x17200500x608dataEnglishUnited States
                                                                                                                                      RT_ICON0x17206580x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                      RT_ICON0x1720bc00x1581PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                                                                                                                                      RT_ICON0x17221480x94a8dataEnglishUnited States
                                                                                                                                      RT_ICON0x172b5f00x5488dataEnglishUnited States
                                                                                                                                      RT_ICON0x1730a780x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 49407, next used block 4294909696EnglishUnited States
                                                                                                                                      RT_ICON0x1734ca00x3a48dataEnglishUnited States
                                                                                                                                      RT_ICON0x17386e80x25a8dataEnglishUnited States
                                                                                                                                      RT_ICON0x173ac900x1a68dataEnglishUnited States
                                                                                                                                      RT_ICON0x173c6f80x10a8dataEnglishUnited States
                                                                                                                                      RT_ICON0x173d7a00x988dataEnglishUnited States
                                                                                                                                      RT_ICON0x173e1280x6b8dataEnglishUnited States
                                                                                                                                      RT_ICON0x173e7e00x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                      RT_ICON0x173ed900x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 2004318071, next used block 61559EnglishUnited States
                                                                                                                                      RT_ICON0x173f0780x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                      RT_ICON0x173f1a00x2ca8dBase IV DBT of \300.DBF, block length 9216, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                                                                                                      RT_ICON0x1741e480x1bc8dataEnglishUnited States
                                                                                                                                      RT_ICON0x1743a100x1628dBase IV DBT of \200.DBF, blocks size 0, block length 4096, next free block index 40, next free block 4294967295, next used block 4294967295EnglishUnited States
                                                                                                                                      RT_ICON0x17450380x1418dataEnglishUnited States
                                                                                                                                      RT_ICON0x17464500xea8dataEnglishUnited States
                                                                                                                                      RT_ICON0x17472f80xba8dataEnglishUnited States
                                                                                                                                      RT_ICON0x1747ea00x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                                                                                                      RT_ICON0x17487480x6c8dataEnglishUnited States
                                                                                                                                      RT_ICON0x1748e100x608dataEnglishUnited States
                                                                                                                                      RT_ICON0x17494180x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                      RT_ICON0x17499800x14e4PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                                                                                                                                      RT_ICON0x174ae680x94a8dataEnglishUnited States
                                                                                                                                      RT_ICON0x17543100x5488dataEnglishUnited States
                                                                                                                                      RT_ICON0x17597980x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 49407, next used block 4278648832EnglishUnited States
                                                                                                                                      RT_ICON0x175d9c00x3a48dataEnglishUnited States
                                                                                                                                      RT_ICON0x17614080x25a8dataEnglishUnited States
                                                                                                                                      RT_ICON0x17639b00x1a68dataEnglishUnited States
                                                                                                                                      RT_ICON0x17654180x10a8dataEnglishUnited States
                                                                                                                                      RT_ICON0x17664c00x988dataEnglishUnited States
                                                                                                                                      RT_ICON0x1766e480x6b8dataEnglishUnited States
                                                                                                                                      RT_ICON0x17675000x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                      RT_ICON0x1767ab00x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 3015424955, next used block 0EnglishUnited States
                                                                                                                                      RT_ICON0x1767d980x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                      RT_ICON0x1767ee80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                      RT_ICON0x17680280x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 4279238655, next used block 240EnglishUnited States
                                                                                                                                      RT_ICON0x17683100x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                      RT_ICON0x17684380x2ca8dBase IV DBT of \300.DBF, block length 9216, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                                                                                                      RT_ICON0x176b0e00x1bc8dataEnglishUnited States
                                                                                                                                      RT_ICON0x176cca80x1628dBase IV DBT of \200.DBF, blocks size 0, block length 4096, next free block index 40, next free block 4294967295, next used block 4294967295EnglishUnited States
                                                                                                                                      RT_ICON0x176e2d00x1418dataEnglishUnited States
                                                                                                                                      RT_ICON0x176f6e80xea8dataEnglishUnited States
                                                                                                                                      RT_ICON0x17705900xba8dataEnglishUnited States
                                                                                                                                      RT_ICON0x17711380x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                                                                                                      RT_ICON0x17719e00x6c8dataEnglishUnited States
                                                                                                                                      RT_ICON0x17720a80x608dataEnglishUnited States
                                                                                                                                      RT_ICON0x17726b00x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                      RT_ICON0x1772c180x189bPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                                                                                                                                      RT_ICON0x17744b80x94a8dataEnglishUnited States
                                                                                                                                      RT_ICON0x177d9600x5488dataEnglishUnited States
                                                                                                                                      RT_ICON0x1782de80x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 49407, next used block 4294909696EnglishUnited States
                                                                                                                                      RT_ICON0x17870100x3a48dataEnglishUnited States
                                                                                                                                      RT_ICON0x178aa580x25a8dataEnglishUnited States
                                                                                                                                      RT_ICON0x178d0000x1a68dataEnglishUnited States
                                                                                                                                      RT_ICON0x178ea680x10a8dataEnglishUnited States
                                                                                                                                      RT_ICON0x178fb100x988dataEnglishUnited States
                                                                                                                                      RT_ICON0x17904980x6b8dataEnglishUnited States
                                                                                                                                      RT_ICON0x1790b500x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                      RT_ICON0x17911000x2e8dataEnglishUnited States
                                                                                                                                      RT_ICON0x17913e80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                      RT_ICON0x17915380x2e8dataEnglishUnited States
                                                                                                                                      RT_ICON0x17918200x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                      RT_ICON0x17919700x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                                                                                                      RT_ICON0x1791c700x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 3422552064, next used block 3234647244EnglishUnited States
                                                                                                                                      RT_ICON0x1791f700x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 4279238655, next used block 240EnglishUnited States
                                                                                                                                      RT_ICON0x17922580x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                      RT_ICON0x17923800x2ca8dBase IV DBT of \300.DBF, block length 9216, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                                                                                                      RT_ICON0x17950280x1bc8dataEnglishUnited States
                                                                                                                                      RT_ICON0x1796bf00x1628dBase IV DBT of \200.DBF, blocks size 0, block length 4096, next free block index 40, next free block 4294967295, next used block 4294967295EnglishUnited States
                                                                                                                                      RT_ICON0x17982180x1418dataEnglishUnited States
                                                                                                                                      RT_ICON0x17996300xea8dataEnglishUnited States
                                                                                                                                      RT_ICON0x179a4d80xba8dataEnglishUnited States
                                                                                                                                      RT_ICON0x179b0800x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                                                                                                      RT_ICON0x179b9280x6c8dataEnglishUnited States
                                                                                                                                      RT_ICON0x179bff00x608dataEnglishUnited States
                                                                                                                                      RT_ICON0x179c5f80x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                      RT_ICON0x179cb600x1698PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                                                                                                                                      RT_ICON0x179e1f80x94a8dataEnglishUnited States
                                                                                                                                      RT_ICON0x17a76a00x5488dataEnglishUnited States
                                                                                                                                      RT_ICON0x17acb280x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 49407, next used block 4294909696EnglishUnited States
                                                                                                                                      RT_ICON0x17b0d500x3a48dataEnglishUnited States
                                                                                                                                      RT_ICON0x17b47980x25a8dataEnglishUnited States
                                                                                                                                      RT_ICON0x17b6d400x1a68dataEnglishUnited States
                                                                                                                                      RT_ICON0x17b87a80x10a8dataEnglishUnited States
                                                                                                                                      RT_ICON0x17b98500x988dataEnglishUnited States
                                                                                                                                      RT_ICON0x17ba1d80x6b8dataEnglishUnited States
                                                                                                                                      RT_ICON0x17ba8900x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                      RT_ICON0x17bae400x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 4279238655, next used block 240EnglishUnited States
                                                                                                                                      RT_ICON0x17bb1280x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                      RT_ICON0x17bb2500x2ca8dBase IV DBT of \300.DBF, block length 9216, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                                                                                                      RT_ICON0x17bdef80x1bc8dataEnglishUnited States
                                                                                                                                      RT_ICON0x17bfac00x1628dBase IV DBT of \200.DBF, blocks size 0, block length 4096, next free block index 40, next free block 4294967295, next used block 472462335EnglishUnited States
                                                                                                                                      RT_ICON0x17c10e80x1418dataEnglishUnited States
                                                                                                                                      RT_ICON0x17c25000xea8dataEnglishUnited States
                                                                                                                                      RT_ICON0x17c33a80xba8dataEnglishUnited States
                                                                                                                                      RT_ICON0x17c3f500x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                                                                                                      RT_ICON0x17c47f80x6c8dataEnglishUnited States
                                                                                                                                      RT_ICON0x17c4ec00x608dataEnglishUnited States
                                                                                                                                      RT_ICON0x17c54c80x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                      RT_ICON0x17c5a300x110fPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                                                                                                                                      RT_ICON0x17c6b400x94a8dataEnglishUnited States
                                                                                                                                      RT_ICON0x17cffe80x5488dataEnglishUnited States
                                                                                                                                      RT_ICON0x17d54700x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 49407, next used block 4294909696EnglishUnited States
                                                                                                                                      RT_ICON0x17d96980x3a48dataEnglishUnited States
                                                                                                                                      RT_ICON0x17dd0e00x25a8dataEnglishUnited States
                                                                                                                                      RT_ICON0x17df6880x1a68dataEnglishUnited States
                                                                                                                                      RT_ICON0x17e10f00x10a8dataEnglishUnited States
                                                                                                                                      RT_ICON0x17e21980x988dataEnglishUnited States
                                                                                                                                      RT_ICON0x17e2b200x6b8dataEnglishUnited States
                                                                                                                                      RT_ICON0x17e31d80x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                      RT_ICON0x17e37880x368GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                      RT_ICON0x17e3af00x368GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                      RT_ICON0x17e3e580x6c8dataEnglishUnited States
                                                                                                                                      RT_ICON0x17e45200x8a8dataEnglishUnited States
                                                                                                                                      RT_ICON0x17e4dc80xea8dataEnglishUnited States
                                                                                                                                      RT_ICON0x17e5c700x9628dataEnglishUnited States
                                                                                                                                      RT_DIALOG0x18092000x9edataEnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17f1fb80x22Lotus unknown worksheet or configuration, revision 0x2EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x15a60f00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17efba00x30Lotus unknown worksheet or configuration, revision 0x3EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17efd080x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17f05c80x30Lotus unknown worksheet or configuration, revision 0x3EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17f0ea00x30Lotus unknown worksheet or configuration, revision 0x3EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17f17780x30Lotus unknown worksheet or configuration, revision 0x3EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17f18e00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17f1a300x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17f21180x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17f22680x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17f23b80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17f25080x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17f26580x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17f27a80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17f2a480x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17f2b980x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17f2ce80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17f2e380x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17f2f880x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17f30d80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17f32280x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17f33780x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17f28f80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17f34c80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17f36180x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17f3ed80x30Lotus unknown worksheet or configuration, revision 0x3EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17f47b00x30Lotus unknown worksheet or configuration, revision 0x3EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17f49180x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17f4c200x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17f4f280x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17f52300x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17f55380x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17f56880x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17f57d80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17f59280x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17f5eb00x22Lotus unknown worksheet or configuration, revision 0x2EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17f64480x22Lotus unknown worksheet or configuration, revision 0x2EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17f69e00x22Lotus unknown worksheet or configuration, revision 0x2EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17f6f780x22Lotus unknown worksheet or configuration, revision 0x2EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17f75100x22Lotus unknown worksheet or configuration, revision 0x2EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17f7aa80x22Lotus unknown worksheet or configuration, revision 0x2EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17f80400x22Lotus unknown worksheet or configuration, revision 0x2EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17f85d80x22Lotus unknown worksheet or configuration, revision 0x2EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17f87380x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17fc6100x30Lotus unknown worksheet or configuration, revision 0x3EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17fcbb00x22Lotus unknown worksheet or configuration, revision 0x2EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17fd1480x22Lotus unknown worksheet or configuration, revision 0x2EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17fa5b00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17f8ff80x30Lotus unknown worksheet or configuration, revision 0x3EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17f98d00x30Lotus unknown worksheet or configuration, revision 0x3EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17fa1a80x30Lotus unknown worksheet or configuration, revision 0x3EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17fa3100x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17fa4600x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17fa7000x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17fa8500x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17fa9a00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17faaf00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17fac400x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17fad900x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17faee00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17fb0300x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17fb1800x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17fb2d00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17fb4200x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17fb5700x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17fb6c00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17fb8100x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17fb9600x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17fbab00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17fbc000x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17fbd500x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17fd2a80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17fd7000x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17fd8500x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17fd9a00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17fdca80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17fdfb00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17fe2b80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17fe5c00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17fe8c80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17febd00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17fed200x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17fee700x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17fefc00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17ff3b00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17ff1100x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17ff2600x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17ff5000x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17ff6500x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17ff7a00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17ff8f00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17ffa400x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17ffb900x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17ffce00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17ffe300x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_CURSOR0x17fd3f80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                      RT_GROUP_ICON0x157db800x102dataEnglishUnited States
                                                                                                                                      RT_GROUP_ICON0x15a5e700x148dataEnglishUnited States
                                                                                                                                      RT_GROUP_ICON0x15abc180x22dataEnglishUnited States
                                                                                                                                      RT_GROUP_ICON0x15d40b80x148dataEnglishUnited States
                                                                                                                                      RT_GROUP_ICON0x15fc3400x148dataEnglishUnited States
                                                                                                                                      RT_GROUP_ICON0x164c9580x148dataEnglishUnited States
                                                                                                                                      RT_GROUP_ICON0x1674ad00x148dataEnglishUnited States
                                                                                                                                      RT_GROUP_ICON0x16244100x148dataEnglishUnited States
                                                                                                                                      RT_GROUP_ICON0x169a6b00x13adataEnglishUnited States
                                                                                                                                      RT_GROUP_ICON0x16c2f300x148dataEnglishUnited States
                                                                                                                                      RT_GROUP_ICON0x16eb9e80x148dataEnglishUnited States
                                                                                                                                      RT_GROUP_ICON0x17143300x148dataEnglishUnited States
                                                                                                                                      RT_GROUP_ICON0x17157300x30dataEnglishUnited States
                                                                                                                                      RT_GROUP_ICON0x1715b700x22dataEnglishUnited States
                                                                                                                                      RT_GROUP_ICON0x1715fa80x22dataEnglishUnited States
                                                                                                                                      RT_GROUP_ICON0x173ec480x148dataEnglishUnited States
                                                                                                                                      RT_GROUP_ICON0x17679680x148dataEnglishUnited States
                                                                                                                                      RT_GROUP_ICON0x1767ec00x22dataEnglishUnited States
                                                                                                                                      RT_GROUP_ICON0x17680100x14dataEnglishUnited States
                                                                                                                                      RT_GROUP_ICON0x1790fb80x148dataEnglishUnited States
                                                                                                                                      RT_GROUP_ICON0x17915100x22dataEnglishUnited States
                                                                                                                                      RT_GROUP_ICON0x17919480x22dataEnglishUnited States
                                                                                                                                      RT_GROUP_ICON0x1791c580x14dataEnglishUnited States
                                                                                                                                      RT_GROUP_ICON0x1791f580x14dataEnglishUnited States
                                                                                                                                      RT_GROUP_ICON0x17bacf80x148dataEnglishUnited States
                                                                                                                                      RT_GROUP_ICON0x17e36400x148dataEnglishUnited States
                                                                                                                                      RT_GROUP_ICON0x17ef2980x5adataEnglishUnited States
                                                                                                                                      RT_VERSION0x18092a00x420dataEnglishUnited States
                                                                                                                                      RT_HTML0x18087780xa83HTML document, ASCII text, with CRLF line terminatorsEnglishUnited States
                                                                                                                                      RT_MANIFEST0x18096c00x232XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States
                                                                                                                                      None0x17ffe480x3aGIF image data, version 89a, 20 x 20EnglishUnited States
                                                                                                                                      None0x17ffe880x3d2GIF image data, version 89a, 16 x 16EnglishUnited States
                                                                                                                                      None0x1801c300x3c5GIF image data, version 89a, 16 x 16EnglishUnited States
                                                                                                                                      None0x18038f00x3c5GIF image data, version 89a, 16 x 16EnglishUnited States
                                                                                                                                      None0x18002600x40fGIF image data, version 89a, 20 x 20EnglishUnited States
                                                                                                                                      None0x18006700x457GIF image data, version 89a, 24 x 24EnglishUnited States
                                                                                                                                      None0x1800ac80x4fbGIF image data, version 89a, 32 x 32EnglishUnited States
                                                                                                                                      None0x1800fc80x5d0GIF image data, version 89a, 40 x 40EnglishUnited States
                                                                                                                                      None0x18015980x698GIF image data, version 89a, 48 x 48EnglishUnited States
                                                                                                                                      None0x1801ff80x3f7GIF image data, version 89a, 20 x 20EnglishUnited States
                                                                                                                                      None0x18023f00x442GIF image data, version 89a, 24 x 24EnglishUnited States
                                                                                                                                      None0x18028380x4d4GIF image data, version 89a, 32 x 32EnglishUnited States
                                                                                                                                      None0x1802d100x587GIF image data, version 89a, 40 x 40EnglishUnited States
                                                                                                                                      None0x18032980x651GIF image data, version 89a, 48 x 48EnglishUnited States
                                                                                                                                      None0x1803cb80x406GIF image data, version 89a, 20 x 20EnglishUnited States
                                                                                                                                      None0x18040c00x43dGIF image data, version 89a, 24 x 24EnglishUnited States
                                                                                                                                      None0x18045000x4d2GIF image data, version 89a, 32 x 32EnglishUnited States
                                                                                                                                      None0x18049d80x582GIF image data, version 89a, 40 x 40EnglishUnited States
                                                                                                                                      None0x1804f600x63fGIF image data, version 89a, 48 x 48EnglishUnited States
                                                                                                                                      None0x18055a00xf5ASCII text, with CRLF line terminatorsEnglishUnited States
                                                                                                                                      None0x18056980x18dHTML document, ASCII text, with CRLF line terminatorsEnglishUnited States
                                                                                                                                      None0x18058280xa4HTML document, ASCII text, with CRLF line terminatorsEnglishUnited States
                                                                                                                                      None0x18058d00x1a1HTML document, ASCII text, with CRLF line terminatorsEnglishUnited States
                                                                                                                                      None0x1805a780x20b6HTML document, ASCII text, with CRLF line terminatorsEnglishUnited States
                                                                                                                                      None0x1807b300xc41HTML document, ASCII text, with CRLF line terminatorsEnglishUnited States
                                                                                                                                      None0x15a61080x5595dataEnglishUnited States
                                                                                                                                      None0x15ab6a00xa2dataEnglishUnited States
                                                                                                                                      None0x15ab7480x4ddataEnglishUnited States
                                                                                                                                      None0x15ab7980x64dataEnglishUnited States
                                                                                                                                      None0x18fce000x4edataEnglishUnited States
                                                                                                                                      DLLImport
                                                                                                                                      VCRUNTIME140.dll_seh_longjmp_unwind4, __CxxLongjmpUnwind, memcpy, _except_handler4_common, memcmp, __telemetry_main_return_trigger, _CxxThrowException, __telemetry_main_invoke_trigger, __CxxFrameHandler3, __vcrt_InitializeCriticalSectionEx, memset, __std_exception_copy, __std_exception_destroy, wcsrchr, wcschr, strstr, wcsstr, memmove, __std_terminate, __std_type_info_compare
                                                                                                                                      MSVCP140.dll?sync@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MAEHXZ, ??0?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAE@PAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@_N@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@H@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@I@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@J@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@K@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@_K@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@N@Z, ?gbump@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IAEXH@Z, ?pbump@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IAEXH@Z, ??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ, ??1?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UAE@XZ, ?_Lock@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UAEXXZ, ?_Xinvalid_argument@std@@YAXPBD@Z, ?__ExceptionPtrAssign@@YAXPAXPBX@Z, ?_Unlock@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UAEXXZ, ?__ExceptionPtrToBool@@YA_NPBX@Z, ?_Execute_once@std@@YAHAAUonce_flag@1@P6GHPAX1PAPAX@Z1@Z, ?_XGetLastError@std@@YAXXZ, ?showmanyc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MAE_JXZ, _Query_perf_counter, _Query_perf_frequency, _Nan, ?_Xbad_alloc@std@@YAXXZ, ?_Xlength_error@std@@YAXPBD@Z, ?_Xout_of_range@std@@YAXPBD@Z, ?_Xbad_function_call@std@@YAXXZ, _FNan, ?_BADOFF@std@@3_JB, ??0?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IAE@XZ, ??0?$basic_ios@_WU?$char_traits@_W@std@@@std@@IAE@XZ, ?uflow@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MAEGXZ, ?xsgetn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MAE_JPA_W_J@Z, _Mtx_unlock, ?_Throw_C_error@std@@YAXH@Z, _Mtx_lock, _Mtx_destroy_in_situ, _Mtx_init_in_situ, ?__ExceptionPtrCreate@@YAXPAX@Z, ?__ExceptionPtrCurrentException@@YAXPAX@Z, ?__ExceptionPtrRethrow@@YAXPBX@Z, ?__ExceptionPtrDestroy@@YAXPAX@Z, ?__ExceptionPtrCopy@@YAXPAXPBX@Z, ??1?$basic_ostream@_WU?$char_traits@_W@std@@@std@@UAE@XZ, ?imbue@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MAEXABVlocale@2@@Z, ?xsputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MAE_JPB_W_J@Z, ?setbuf@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MAEPAV12@PA_W_J@Z
                                                                                                                                      api-ms-win-crt-heap-l1-1-0.dll_set_new_mode, malloc, free
                                                                                                                                      api-ms-win-crt-runtime-l1-1-0.dll_fpreset, _invalid_parameter_noinfo, _invalid_parameter_noinfo_noreturn, _controlfp_s, terminate, _errno, _register_thread_local_exe_atexit_callback, _c_exit, _exit, _initterm_e, _initterm, _get_narrow_winmain_command_line, _configure_narrow_argv, _set_app_type, _seh_filter_exe, _cexit, _crt_atexit, _register_onexit_function, _initialize_onexit_table, _initialize_narrow_environment, exit
                                                                                                                                      api-ms-win-crt-string-l1-1-0.dllwcscmp, toupper, wcsncat_s, isdigit, iswdigit, isspace, isupper, strncpy_s, wcscpy_s, wcsnlen, wcsncpy_s, tolower, wcscspn, _wcsicmp, wcsncmp, isalnum, towlower, wcscat_s
                                                                                                                                      api-ms-win-crt-convert-l1-1-0.dll_atof_l, _ecvt_s, wcstol, _wtoi, _ui64tow_s, wcstod, _wtof_l
                                                                                                                                      api-ms-win-crt-filesystem-l1-1-0.dll_wsplitpath_s, _wmakepath_s
                                                                                                                                      api-ms-win-crt-stdio-l1-1-0.dll__p__commode, __stdio_common_vswprintf, __stdio_common_vswprintf_s, _set_fmode, __stdio_common_vsnprintf_s, __stdio_common_vswscanf, __stdio_common_vsnwprintf_s
                                                                                                                                      api-ms-win-crt-utility-l1-1-0.dllsrand, rand
                                                                                                                                      api-ms-win-crt-math-l1-1-0.dll_libm_sse2_cos_precise, ceil, log2, round, __setusermatherr, _libm_sse2_sin_precise, floor, _except1, _libm_sse2_sqrt_precise, _fdtest
                                                                                                                                      api-ms-win-crt-time-l1-1-0.dllclock, _time64
                                                                                                                                      api-ms-win-crt-locale-l1-1-0.dll__initialize_lconv_for_unsigned_char, _configthreadlocale, _create_locale
                                                                                                                                      ADVAPI32.dllRegQueryValueExA, RegOpenKeyExA, RegGetValueW, DeregisterEventSource, GetSecurityDescriptorSacl, GetSecurityDescriptorGroup, GetSecurityDescriptorControl, RegOpenKeyExW, RegQueryValueExW, RegCloseKey, OpenProcessToken, MakeSelfRelativeSD, InitializeSecurityDescriptor, AllocateAndInitializeSid, SetSecurityDescriptorOwner, SetSecurityDescriptorGroup, InitializeAcl, SetSecurityDescriptorDacl, GetPrivateObjectSecurity, SetPrivateObjectSecurity, GetSecurityDescriptorLength, MapGenericMask, GetSecurityDescriptorDacl, GetAclInformation, LookupAccountNameW, EqualSid, FreeSid, BuildTrusteeWithSidW, GetExplicitEntriesFromAclW, SetEntriesInAclW, GetLengthSid, IsValidSecurityDescriptor, GetAce, LookupAccountSidW, ImpersonateSelf, OpenThreadToken, AccessCheck, RevertToSelf, CryptAcquireContextW, CryptReleaseContext, CryptCreateHash, CryptHashData, CryptGetHashParam, CryptDestroyHash, RegDeleteKeyW, RegEnumKeyW, RegCreateKeyExW, RegSetValueExW, RegEnumValueW, EventUnregister, EventRegister, EventWrite, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSecurityDescriptorToStringSecurityDescriptorW, MakeAbsoluteSD, ReportEventW, RegisterEventSourceW, IsValidAcl, IsValidSid, GetSecurityDescriptorOwner
                                                                                                                                      KERNEL32.dllCompareStringEx, GetStringTypeExA, IsDebuggerPresent, SetUnhandledExceptionFilter, FormatMessageA, GetLocaleInfoEx, ResolveLocaleName, SetEvent, LeaveCriticalSection, EnterCriticalSection, MulDiv, QueryPerformanceFrequency, QueryPerformanceCounter, EncodePointer, DecodePointer, GetTickCount64, GlobalAlloc, GlobalLock, GlobalUnlock, CompareStringA, GetStringTypeW, FreeLibrary, IsDBCSLeadByteEx, LCMapStringEx, GetACP, IsDBCSLeadByte, IsBadReadPtr, GetLastError, GetCurrentThreadId, GetOEMCP, SetLastError, GetModuleHandleA, GetModuleHandleW, GetProcAddress, LoadLibraryA, LoadLibraryW, GetModuleFileNameW, OutputDebugStringA, GetUserGeoID, GetGeoInfoW, GetCurrentProcess, GetCurrentProcessId, GetSystemInfo, VirtualQuery, VirtualAlloc, WinExec, GlobalFree, GetTickCount, GetDriveTypeW, GlobalSize, GlobalReAlloc, GetFileSize, GetFileTime, SetFileTime, GetVolumeInformationW, UnlockFile, LockFile, MoveFileW, ReadFile, WriteFile, SetFilePointer, DeleteFileW, GetFileAttributesW, SetFileAttributesW, CloseHandle, SearchPathW, FindClose, FindFirstFileW, FindNextFileW, GetCurrentDirectoryW, SetCurrentDirectoryW, SetEnvironmentVariableW, GetShortPathNameW, SetErrorMode, FindResourceW, LoadResource, GetLocalTime, SystemTimeToFileTime, LocalFileTimeToFileTime, FileTimeToLocalFileTime, FileTimeToSystemTime, GetWindowsDirectoryW, IsValidCodePage, VirtualFree, InitializeCriticalSection, DeleteCriticalSection, Sleep, GetFileAttributesExW, GetLogicalDrives, LoadLibraryExW, HeapAlloc, GetProcessHeap, HeapReAlloc, HeapFree, EnumCalendarInfoW, GetUserDefaultLocaleName, VerSetConditionMask, VerifyVersionInfoW, IsValidLocale, GetTempPathW, FlushFileBuffers, LoadLibraryExA, GetFullPathNameW, IsBadWritePtr, GlobalAddAtomW, GlobalGetAtomNameW, GlobalDeleteAtom, CreateEventW, CreateThread, SetThreadIdealProcessor, GetExitCodeThread, TerminateThread, GetVersion, GetSystemDefaultLCID, LocalAlloc, LocalFree, GetSystemDirectoryW, GetStartupInfoW, GetCommandLineW, GetCurrentThread, MultiByteToWideChar, FindAtomW, InitializeCriticalSectionAndSpinCount, CopyFileExW, GlobalFlags, DebugBreak, GetTempFileNameW, GetSystemTime, TerminateProcess, RaiseException, lstrlenW, OutputDebugStringW, SizeofResource, LockResource, SetThreadPriority, SetDllDirectoryW, GetLocaleInfoW, lstrcmpW, LCIDToLocaleName, GetComputerNameW, AddAtomW, WideCharToMultiByte, GetUserDefaultLCID, ExpandEnvironmentStringsW, OpenFile, CreateFileMappingW, MapViewOfFile, UnmapViewOfFile, OpenFileMappingW, OpenEventW, GetSystemDefaultLangID, WerRegisterMemoryBlock, VirtualProtect, CreateEventExW, GetModuleHandleExW, FlsGetValue, InitializeCriticalSectionEx, FormatMessageW, FlsSetValue, InterlockedFlushSList, WaitForSingleObjectEx, GetNativeSystemInfo, HeapSetInformation, ResetEvent, IsProcessorFeaturePresent, UnhandledExceptionFilter, SystemTimeToTzSpecificLocalTime, GetSystemTimeAsFileTime, InterlockedPushEntrySList, InitializeSListHead, FlsFree, FlsAlloc
                                                                                                                                      ole32.dllCoInitializeEx, StgCreateDocfile, CoCreateInstance, CoCreateInstanceEx, CLSIDFromString, OleSetMenuDescriptor, CoTreatAsClass, SetConvertStg, WriteClassStg, WriteClassStm, OleConvertIStorageToOLESTREAM, OleConvertOLESTREAMToIStorage, CLSIDFromProgID, CoFileTimeNow, CoIsOle1Class, WriteFmtUserTypeStg, ReadFmtUserTypeStg, GetClassFile, OleUninitialize, DoDragDrop, OleInitialize, CreateGenericComposite, OleRun, OleCreateLinkFromData, OleCreateLink, CoMarshalInterface, CoUnmarshalInterface, OleFlushClipboard, StringFromGUID2, CreateFileMoniker, StringFromCLSID, ReadClassStm, GetHGlobalFromStream, CoInitialize, OleSaveToStream, CoCreateGuid, OleSave, OleCreateMenuDescriptor, OleDestroyMenuDescriptor, OleGetIconOfClass, OleQueryLinkFromData, ProgIDFromCLSID, CreateItemMoniker, CreateDataAdviseHolder, OleRegGetUserType, CreateOleAdviseHolder, OleIsRunning, GetRunningObjectTable, CoRevokeClassObject, CoGetMalloc, StgIsStorageFile, IsAccelerator, CoAllowSetForegroundWindow, CoDisconnectObject, OleQueryCreateFromData, CoUninitialize, CoFreeUnusedLibraries, CoRegisterMessageFilter, CoLockObjectExternal, OleTranslateAccelerator, OleSetContainedObject, OleCreateFromData, ReadClassStg, GetHGlobalFromILockBytes, OleSetClipboard, StgSetTimes, StgOpenStorageOnILockBytes, StgCreateDocfileOnILockBytes, CreateILockBytesOnHGlobal, ReleaseStgMedium, OleGetClipboard, CoTaskMemFree, CoRegisterClassObject, CreateBindCtx, CoTaskMemAlloc, CreateStreamOnHGlobal, OleIsCurrentClipboard
                                                                                                                                      oart.dll
                                                                                                                                      NameOrdinalAddress
                                                                                                                                      BeginUpgradeASPPModel370xcb82e5
                                                                                                                                      DllGetLCID380x1857d5f
                                                                                                                                      GetDMCLRRuntime390xcb8238
                                                                                                                                      LinkASPPModelTable400xcb834d
                                                                                                                                      MdCallBack360x1112564
                                                                                                                                      MdCallBack12460x98f967
                                                                                                                                      UpgradeASPPModel410xcb8319
                                                                                                                                      _LPenHelper450xcb8226
                                                                                                                                      DescriptionData
                                                                                                                                      InternalNameExcel
                                                                                                                                      FileVersion16.0.5188.1000
                                                                                                                                      CompanyNameMicrosoft Corporation
                                                                                                                                      LegalTrademarks1Microsoft is a registered trademark of Microsoft Corporation.
                                                                                                                                      LegalTrademarks2Windows is a registered trademark of Microsoft Corporation.
                                                                                                                                      ProductNameMicrosoft Office 2016
                                                                                                                                      ProductVersion16.0.5188.1000
                                                                                                                                      FileDescriptionMicrosoft Excel
                                                                                                                                      MOSEVersionBETA
                                                                                                                                      OriginalFilenameExcel.exe
                                                                                                                                      Translation0x0000 0x04e4

                                                                                                                                      Possible Origin

                                                                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                                                                      EnglishUnited States

                                                                                                                                      Network Behavior

                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                      Aug 16, 2021 15:58:24.090964079 CEST6206053192.168.2.58.8.8.8
                                                                                                                                      Aug 16, 2021 15:58:24.116022110 CEST53620608.8.8.8192.168.2.5
                                                                                                                                      Aug 16, 2021 15:58:24.521476984 CEST6180553192.168.2.58.8.8.8
                                                                                                                                      Aug 16, 2021 15:58:24.554466009 CEST53618058.8.8.8192.168.2.5
                                                                                                                                      Aug 16, 2021 15:58:24.900029898 CEST5479553192.168.2.58.8.8.8
                                                                                                                                      Aug 16, 2021 15:58:24.925030947 CEST53547958.8.8.8192.168.2.5
                                                                                                                                      Aug 16, 2021 15:58:25.861471891 CEST4955753192.168.2.58.8.8.8
                                                                                                                                      Aug 16, 2021 15:58:25.886666059 CEST53495578.8.8.8192.168.2.5
                                                                                                                                      Aug 16, 2021 15:58:26.298202991 CEST6173353192.168.2.58.8.8.8
                                                                                                                                      Aug 16, 2021 15:58:26.335887909 CEST53617338.8.8.8192.168.2.5
                                                                                                                                      Aug 16, 2021 15:58:41.647521019 CEST6544753192.168.2.58.8.8.8
                                                                                                                                      Aug 16, 2021 15:58:41.715488911 CEST53654478.8.8.8192.168.2.5
                                                                                                                                      Aug 16, 2021 15:58:42.309314966 CEST5244153192.168.2.58.8.8.8
                                                                                                                                      Aug 16, 2021 15:58:42.362570047 CEST53524418.8.8.8192.168.2.5
                                                                                                                                      Aug 16, 2021 15:58:43.052350044 CEST6217653192.168.2.58.8.8.8
                                                                                                                                      Aug 16, 2021 15:58:43.080014944 CEST53621768.8.8.8192.168.2.5
                                                                                                                                      Aug 16, 2021 15:58:43.327615976 CEST5244153192.168.2.58.8.8.8
                                                                                                                                      Aug 16, 2021 15:58:43.383081913 CEST53524418.8.8.8192.168.2.5
                                                                                                                                      Aug 16, 2021 15:58:44.159548044 CEST5959653192.168.2.58.8.8.8
                                                                                                                                      Aug 16, 2021 15:58:44.188602924 CEST53595968.8.8.8192.168.2.5
                                                                                                                                      Aug 16, 2021 15:58:44.340038061 CEST5244153192.168.2.58.8.8.8
                                                                                                                                      Aug 16, 2021 15:58:44.374233007 CEST53524418.8.8.8192.168.2.5
                                                                                                                                      Aug 16, 2021 15:58:46.402539015 CEST5244153192.168.2.58.8.8.8
                                                                                                                                      Aug 16, 2021 15:58:46.429645061 CEST53524418.8.8.8192.168.2.5
                                                                                                                                      Aug 16, 2021 15:58:49.989725113 CEST6529653192.168.2.58.8.8.8
                                                                                                                                      Aug 16, 2021 15:58:50.030503035 CEST53652968.8.8.8192.168.2.5
                                                                                                                                      Aug 16, 2021 15:58:50.450047016 CEST5244153192.168.2.58.8.8.8
                                                                                                                                      Aug 16, 2021 15:58:50.483872890 CEST53524418.8.8.8192.168.2.5
                                                                                                                                      Aug 16, 2021 15:58:56.322017908 CEST6318353192.168.2.58.8.8.8
                                                                                                                                      Aug 16, 2021 15:58:56.354465961 CEST53631838.8.8.8192.168.2.5
                                                                                                                                      Aug 16, 2021 15:58:57.266346931 CEST6015153192.168.2.58.8.8.8
                                                                                                                                      Aug 16, 2021 15:58:57.302386045 CEST53601518.8.8.8192.168.2.5
                                                                                                                                      Aug 16, 2021 15:59:10.383872986 CEST5696953192.168.2.58.8.8.8
                                                                                                                                      Aug 16, 2021 15:59:10.417651892 CEST53569698.8.8.8192.168.2.5
                                                                                                                                      Aug 16, 2021 15:59:17.710783958 CEST5516153192.168.2.58.8.8.8
                                                                                                                                      Aug 16, 2021 15:59:17.735600948 CEST53551618.8.8.8192.168.2.5
                                                                                                                                      Aug 16, 2021 15:59:18.663885117 CEST5475753192.168.2.58.8.8.8
                                                                                                                                      Aug 16, 2021 15:59:18.691603899 CEST53547578.8.8.8192.168.2.5
                                                                                                                                      Aug 16, 2021 15:59:20.513696909 CEST4999253192.168.2.58.8.8.8
                                                                                                                                      Aug 16, 2021 15:59:20.548860073 CEST53499928.8.8.8192.168.2.5
                                                                                                                                      Aug 16, 2021 15:59:21.293636084 CEST6007553192.168.2.58.8.8.8
                                                                                                                                      Aug 16, 2021 15:59:21.320765018 CEST53600758.8.8.8192.168.2.5
                                                                                                                                      Aug 16, 2021 15:59:22.097925901 CEST5501653192.168.2.58.8.8.8
                                                                                                                                      Aug 16, 2021 15:59:22.124197960 CEST53550168.8.8.8192.168.2.5
                                                                                                                                      Aug 16, 2021 15:59:31.676008940 CEST6434553192.168.2.58.8.8.8
                                                                                                                                      Aug 16, 2021 15:59:31.710474014 CEST53643458.8.8.8192.168.2.5
                                                                                                                                      Aug 16, 2021 15:59:34.952740908 CEST5712853192.168.2.58.8.8.8
                                                                                                                                      Aug 16, 2021 15:59:34.992028952 CEST53571288.8.8.8192.168.2.5
                                                                                                                                      Aug 16, 2021 15:59:56.215039968 CEST5479153192.168.2.58.8.8.8
                                                                                                                                      Aug 16, 2021 15:59:56.251650095 CEST53547918.8.8.8192.168.2.5
                                                                                                                                      Aug 16, 2021 15:59:57.957947969 CEST5046353192.168.2.58.8.8.8
                                                                                                                                      Aug 16, 2021 15:59:57.990619898 CEST53504638.8.8.8192.168.2.5
                                                                                                                                      Aug 16, 2021 15:59:59.281771898 CEST5039453192.168.2.58.8.8.8
                                                                                                                                      Aug 16, 2021 15:59:59.332442999 CEST53503948.8.8.8192.168.2.5
                                                                                                                                      Aug 16, 2021 16:01:02.582717896 CEST5853053192.168.2.58.8.8.8
                                                                                                                                      Aug 16, 2021 16:01:02.637279987 CEST53585308.8.8.8192.168.2.5
                                                                                                                                      Aug 16, 2021 16:01:03.312654018 CEST5381353192.168.2.58.8.8.8
                                                                                                                                      Aug 16, 2021 16:01:03.398288012 CEST53538138.8.8.8192.168.2.5
                                                                                                                                      Aug 16, 2021 16:01:04.257426023 CEST6373253192.168.2.58.8.8.8
                                                                                                                                      Aug 16, 2021 16:01:04.291414976 CEST53637328.8.8.8192.168.2.5
                                                                                                                                      Aug 16, 2021 16:01:04.589308977 CEST5734453192.168.2.58.8.8.8
                                                                                                                                      Aug 16, 2021 16:01:04.625021935 CEST53573448.8.8.8192.168.2.5

                                                                                                                                      Code Manipulations

                                                                                                                                      Statistics

                                                                                                                                      System Behavior

                                                                                                                                      Analysis Process: EXCEL.EXE PID: 5532 Parent PID: 5684

                                                                                                                                      General

                                                                                                                                      Start time:15:58:36
                                                                                                                                      Start date:16/08/2021
                                                                                                                                      Path:C:\Users\user\Desktop\EXCEL.EXE
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:'C:\Users\user\Desktop\EXCEL.EXE'
                                                                                                                                      Imagebase:0xa30000
                                                                                                                                      File size:27126608 bytes
                                                                                                                                      MD5 hash:496679CAE38DE68D86B4AE99D7126414
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:low
                                                                                                                                      Show Windows behavior

                                                                                                                                      File Activities

                                                                                                                                      Show Windows behavior

                                                                                                                                      Registry Activities

                                                                                                                                      Disassembly

                                                                                                                                      Code Analysis