Loading ...

Play interactive tourEdit tour

Analysis Report sample20210111-01.xlsm

Overview

General Information

Sample Name:sample20210111-01.xlsm
Analysis ID:338158
MD5:fa5350d4304c4c2ceafa435244b5a5fc
SHA1:fc8a20962b8cf86568b1e85be02ee9c7b62d94b2
SHA256:0104974a7bf43e2e31d25ae485f57c62efe89eaea2d3e520db8a76fa70dd956d
Tags:Dridexxlsm

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Dridex
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Dridex e-Banking trojan
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: BlueMashroom DLL Load
System process connects to network (likely due to code injection or exploit)
Document contains an embedded VBA macro which may execute processes
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Machine Learning detection for dropped file
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Regsvr32 Anomaly
Allocates a big amount of memory (probably used for heap spraying)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to query network adapater information
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the installation date of Windows
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • EXCEL.EXE (PID: 6304 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • regsvr32.exe (PID: 5544 cmdline: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\mkmanoo.dll. MD5: 426E7499F6A7346F0410DEAD0805586B)
    • splwow64.exe (PID: 6712 cmdline: C:\Windows\splwow64.exe 12288 MD5: 8D59B31FF375059E3C32B17BF31A76D5)
    • regsvr32.exe (PID: 860 cmdline: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\dunjzsby.dll. MD5: 426E7499F6A7346F0410DEAD0805586B)
    • regsvr32.exe (PID: 6384 cmdline: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\xnaitann.dll. MD5: 426E7499F6A7346F0410DEAD0805586B)
  • cleanup

Malware Configuration

Threatname: Dridex

{"Config: ": ["--------------------------------------------------", "BOT ID", "--------------------------------------------------", "Bot id : 10444", "--------------------------------------------------", "IP Address table", "--------------------------------------------------", "Address count 4", "77.220.64.37:443", "80.86.91.27:3308", "5.100.228.233:3389", "46.105.131.65:1512"]}

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: BlueMashroom DLL LoadShow sources
Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\mkmanoo.dll., CommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\mkmanoo.dll., CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 6304, ProcessCommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\mkmanoo.dll., ProcessId: 5544
Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\mkmanoo.dll., CommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\mkmanoo.dll., CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 6304, ProcessCommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\mkmanoo.dll., ProcessId: 5544
Sigma detected: Regsvr32 AnomalyShow sources
Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\mkmanoo.dll., CommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\mkmanoo.dll., CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 6304, ProcessCommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\mkmanoo.dll., ProcessId: 5544

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Found malware configurationShow sources
Source: 16.2.regsvr32.exe.b80000.3.unpackMalware Configuration Extractor: Dridex {"Config: ": ["--------------------------------------------------", "BOT ID", "--------------------------------------------------", "Bot id : 10444", "--------------------------------------------------", "IP Address table", "--------------------------------------------------", "Address count 4", "77.220.64.37:443", "80.86.91.27:3308", "5.100.228.233:3389", "46.105.131.65:1512"]}
Multi AV Scanner detection for submitted fileShow sources
Source: sample20210111-01.xlsmVirustotal: Detection: 26%Perma Link
Source: sample20210111-01.xlsmReversingLabs: Detection: 32%
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\xnaitann.dllJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\u8wa3gh[1].zipJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\dvnrlttv[1].zipJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\dunjzsby.dllJoe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
Source: unknownHTTPS traffic detected: 74.220.219.210:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknownHTTPS traffic detected: 184.171.244.207:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknownHTTPS traffic detected: 192.185.41.153:443 -> 192.168.2.4:49841 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.4:49856 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.4:49865 version: TLS 1.2

Software Vulnerabilities:

barindex
Document exploit detected (creates forbidden files)Show sources
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\mkmanoo.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\dunjzsby.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\xnaitann.dllJump to behavior
Document exploit detected (drops PE files)Show sources
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: u8wa3gh[1].zip.0.drJump to dropped file
Document exploit detected (UrlDownloadToFile)Show sources
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: unknown origin: URLDownloadToFileAJump to behavior
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exeJump to behavior
Source: excel.exeMemory has grown: Private usage: 1MB later: 77MB
Source: global trafficDNS query: name: bulksms.interweblimited.com
Source: global trafficTCP traffic: 192.168.2.4:49746 -> 74.220.219.210:443
Source: global trafficTCP traffic: 192.168.2.4:49746 -> 74.220.219.210:443
Source: global trafficTCP traffic: 192.168.2.4:49775 -> 80.86.91.27:3308
Source: global trafficTCP traffic: 192.168.2.4:49776 -> 5.100.228.233:3389
Source: global trafficTCP traffic: 192.168.2.4:49777 -> 46.105.131.65:1512
Source: Joe Sandbox ViewIP Address: 5.100.228.233 5.100.228.233
Source: Joe Sandbox ViewIP Address: 80.86.91.27 80.86.91.27
Source: Joe Sandbox ViewIP Address: 46.105.131.65 46.105.131.65
Source: Joe Sandbox ViewIP Address: 77.220.64.37 77.220.64.37
Source: Joe Sandbox ViewASN Name: SENTIANL SENTIANL
Source: Joe Sandbox ViewASN Name: GD-EMEA-DC-SXB1DE GD-EMEA-DC-SXB1DE
Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 16_2_00BB39F9 InternetReadFile,16_2_00BB39F9
Source: unknownDNS traffic detected: queries for: bulksms.interweblimited.com
Source: regsvr32.exe, 00000010.00000003.872389085.0000000000866000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: regsvr32.exe, 00000010.00000003.872389085.0000000000866000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 00000010.00000003.888660438.0000000000845000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: regsvr32.exe, 00000010.00000002.982129885.000000000080A000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/
Source: regsvr32.exe, 00000010.00000003.872389085.0000000000866000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: regsvr32.exe, 00000010.00000003.872389085.0000000000866000.00000004.00000001.sdmp, regsvr32.exe, 00000010.00000003.811700017.000000000086D000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.16.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 00000010.00000003.810278841.00000000008F2000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?95a542b1dd52e
Source: regsvr32.exe, 00000010.00000003.810278841.00000000008F2000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/p
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: regsvr32.exe, 00000010.00000002.1036478024.0000000004944000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmpString found in binary or memory: https://46.105.131.65/
Source: regsvr32.exe, 00000012.00000003.894507082.00000000031A8000.00000004.00000001.sdmpString found in binary or memory: https://46.105.131.65/(
Source: regsvr32.exe, 00000010.00000003.872389085.0000000000866000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.980149370.000000000319B000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.938801902.00000000031AE000.00000004.00000001.sdmpString found in binary or memory: https://46.105.131.65:1512/
Source: regsvr32.exe, 00000012.00000003.886324610.00000000031A8000.00000004.00000001.sdmpString found in binary or memory: https://46.105.131.65:1512/(
Source: regsvr32.exe, 00000010.00000002.982174522.0000000000866000.00000004.00000020.sdmp, regsvr32.exe, 00000012.00000003.917292709.00000000031AD000.00000004.00000001.sdmpString found in binary or memory: https://46.105.131.65:1512/0
Source: regsvr32.exe, 00000012.00000003.980223979.000000000317D000.00000004.00000001.sdmpString found in binary or memory: https://46.105.131.65:1512/6
Source: regsvr32.exe, 00000012.00000003.942509383.00000000031AD000.00000004.00000001.sdmpString found in binary or memory: https://46.105.131.65:1512/8
Source: regsvr32.exe, 00000012.00000003.954288057.00000000031AD000.00000004.00000001.sdmpString found in binary or memory: https://46.105.131.65:1512/;
Source: regsvr32.exe, 00000012.00000003.947193651.00000000031AF000.00000004.00000001.sdmpString found in binary or memory: https://46.105.131.65:1512/D
Source: regsvr32.exe, 00000012.00000003.958125909.00000000031AD000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.898757958.00000000031AD000.00000004.00000001.sdmpString found in binary or memory: https://46.105.131.65:1512/ES
Source: regsvr32.exe, 00000012.00000003.936022022.00000000031AF000.00000004.00000001.sdmpString found in binary or memory: https://46.105.131.65:1512/H
Source: regsvr32.exe, 00000012.00000003.886324610.00000000031A8000.00000004.00000001.sdmpString found in binary or memory: https://46.105.131.65:1512/P
Source: regsvr32.exe, 00000012.00000003.966072159.00000000031A7000.00000004.00000001.sdmpString found in binary or memory: https://46.105.131.65:1512/h
Source: regsvr32.exe, 00000010.00000003.872389085.0000000000866000.00000004.00000001.sdmpString found in binary or memory: https://46.105.131.65:1512/h:
Source: regsvr32.exe, 00000012.00000003.972854437.000000000317D000.00000004.00000001.sdmpString found in binary or memory: https://46.105.131.65:1512/la
Source: regsvr32.exe, 00000012.00000003.972854437.000000000317D000.00000004.00000001.sdmpString found in binary or memory: https://46.105.131.65:1512/m
Source: regsvr32.exe, 00000012.00000003.947193651.00000000031AF000.00000004.00000001.sdmpString found in binary or memory: https://46.105.131.65:1512/oft
Source: regsvr32.exe, 00000012.00000003.980149370.000000000319B000.00000004.00000001.sdmpString found in binary or memory: https://46.105.131.65:1512/p
Source: regsvr32.exe, 00000010.00000003.872389085.0000000000866000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.942509383.00000000031AD000.00000004.00000001.sdmpString found in binary or memory: https://46.105.131.65:1512/soft
Source: regsvr32.exe, 00000012.00000003.886324610.00000000031A8000.00000004.00000001.sdmpString found in binary or memory: https://46.105.131.65:1512/x
Source: regsvr32.exe, 00000012.00000003.980149370.000000000319B000.00000004.00000001.sdmpString found in binary or memory: https://5..105.131.65:1512/
Source: regsvr32.exe, 00000010.00000002.982201012.00000000008D5000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmpString found in binary or memory: https://5.100.228.233/
Source: regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmpString found in binary or memory: https://5.100.228.233/w
Source: regsvr32.exe, 00000010.00000002.982129885.000000000080A000.00000004.00000020.sdmp, regsvr32.exe, 00000010.00000003.888626667.000000000086C000.00000004.00000001.sdmp, regsvr32.exe, 00000010.00000003.888613064.00000000008F2000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.941475415.00000000031AD000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.968234770.00000000031AD000.00000004.00000001.sdmpString found in binary or memory: https://5.100.228.233:3389/
Source: regsvr32.exe, 00000012.00000003.972870710.00000000031A3000.00000004.00000001.sdmpString found in binary or memory: https://5.100.228.233:3389/(
Source: regsvr32.exe, 00000010.00000003.872389085.0000000000866000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.942509383.00000000031AD000.00000004.00000001.sdmpString found in binary or memory: https://5.100.228.233:3389/0
Source: regsvr32.exe, 00000012.00000003.952484888.00000000031AD000.00000004.00000001.sdmpString found in binary or memory: https://5.100.228.233:3389/8
Source: regsvr32.exe, 00000012.00000003.952484888.00000000031AD000.00000004.00000001.sdmpString found in binary or memory: https://5.100.228.233:3389/D
Source: regsvr32.exe, 00000012.00000003.952484888.00000000031AD000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.978555876.00000000031A4000.00000004.00000001.sdmpString found in binary or memory: https://5.100.228.233:3389/ES
Source: regsvr32.exe, 00000012.00000003.959829384.00000000031AD000.00000004.00000001.sdmpString found in binary or memory: https://5.100.228.233:3389/H
Source: regsvr32.exe, 00000010.00000003.888626667.000000000086C000.00000004.00000001.sdmpString found in binary or memory: https://5.100.228.233:3389/N
Source: regsvr32.exe, 00000012.00000003.922794583.00000000031AD000.00000004.00000001.sdmpString found in binary or memory: https://5.100.228.233:3389/P
Source: regsvr32.exe, 00000012.00000003.968234770.00000000031AD000.00000004.00000001.sdmpString found in binary or memory: https://5.100.228.233:3389/X
Source: regsvr32.exe, 00000010.00000002.982174522.0000000000866000.00000004.00000020.sdmpString found in binary or memory: https://5.100.228.233:3389/Z
Source: regsvr32.exe, 00000012.00000003.930528102.00000000031AE000.00000004.00000001.sdmpString found in binary or memory: https://5.100.228.233:3389/h
Source: regsvr32.exe, 00000012.00000003.978500644.000000000317D000.00000004.00000001.sdmpString found in binary or memory: https://5.100.228.233:3389/la
Source: regsvr32.exe, 00000012.00000003.978500644.000000000317D000.00000004.00000001.sdmpString found in binary or memory: https://5.100.228.233:3389/ll
Source: regsvr32.exe, 00000010.00000002.1036478024.0000000004944000.00000004.00000001.sdmpString found in binary or memory: https://5.100.228.233:3389/lln
Source: regsvr32.exe, 00000010.00000003.872389085.0000000000866000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.894507082.00000000031A8000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.906838132.00000000031A8000.00000004.00000001.sdmpString found in binary or memory: https://5.100.228.233:3389/oft
Source: regsvr32.exe, 00000010.00000002.1036478024.0000000004944000.00000004.00000001.sdmpString found in binary or memory: https://5.100.228.233:3389/r
Source: regsvr32.exe, 00000010.00000002.982174522.0000000000866000.00000004.00000020.sdmp, regsvr32.exe, 00000012.00000003.958125909.00000000031AD000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.978555876.00000000031A4000.00000004.00000001.sdmpString found in binary or memory: https://5.100.228.233:3389/soft
Source: regsvr32.exe, 00000012.00000003.959829384.00000000031AD000.00000004.00000001.sdmpString found in binary or memory: https://5.100.228.233:3389/x
Source: regsvr32.exe, 00000012.00000003.972854437.000000000317D000.00000004.00000001.sdmpString found in binary or memory: https://77.105.131.65:1512/
Source: regsvr32.exe, 00000010.00000002.982129885.000000000080A000.00000004.00000020.sdmp, regsvr32.exe, 00000010.00000002.982201012.00000000008D5000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.898757958.00000000031AD000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.978520541.0000000003185000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.928596818.00000000031A7000.00000004.00000001.sdmpString found in binary or memory: https://77.220.64.37/
Source: regsvr32.exe, 00000012.00000003.898757958.00000000031AD000.00000004.00000001.sdmpString found in binary or memory: https://77.220.64.37/(
Source: regsvr32.exe, 00000010.00000002.1036478024.0000000004944000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmpString found in binary or memory: https://77.220.64.37/.
Source: regsvr32.exe, 00000012.00000003.962535896.00000000031A5000.00000004.00000001.sdmpString found in binary or memory: https://77.220.64.37/.(
Source: regsvr32.exe, 00000012.00000003.917292709.00000000031AD000.00000004.00000001.sdmpString found in binary or memory: https://77.220.64.37/.:
Source: regsvr32.exe, 00000010.00000002.1036478024.0000000004944000.00000004.00000001.sdmpString found in binary or memory: https://77.220.64.37/.W
Source: regsvr32.exe, 00000010.00000002.982201012.00000000008D5000.00000004.00000001.sdmpString found in binary or memory: https://77.220.64.37/00.228.233/
Source: regsvr32.exe, 00000010.00000002.982201012.00000000008D5000.00000004.00000001.sdmpString found in binary or memory: https://77.220.64.37/105.131.65/
Source: regsvr32.exe, 00000012.00000002.992729996.000000000317E000.00000004.00000020.sdmpString found in binary or memory: https://77.220.64.37/105.131.65/pe
Source: regsvr32.exe, 00000012.00000003.906838132.00000000031A8000.00000004.00000001.sdmpString found in binary or memory: https://77.220.64.37/3
Source: regsvr32.exe, 00000010.00000002.982201012.00000000008D5000.00000004.00000001.sdmpString found in binary or memory: https://77.220.64.37/3321935-2125563209-4053062332-1002
Source: regsvr32.exe, 00000010.00000002.982129885.000000000080A000.00000004.00000020.sdmpString found in binary or memory: https://77.220.64.37/4
Source: regsvr32.exe, 00000012.00000002.992729996.000000000317E000.00000004.00000020.sdmpString found in binary or memory: https://77.220.64.37/5
Source: regsvr32.exe, 00000010.00000002.982201012.00000000008D5000.00000004.00000001.sdmpString found in binary or memory: https://77.220.64.37/53321935-2125563209-4053062332-1002
Source: regsvr32.exe, 00000012.00000003.906838132.00000000031A8000.00000004.00000001.sdmpString found in binary or memory: https://77.220.64.37/;
Source: regsvr32.exe, 00000012.00000003.898757958.00000000031AD000.00000004.00000001.sdmpString found in binary or memory: https://77.220.64.37/?
Source: regsvr32.exe, 00000010.00000002.982129885.000000000080A000.00000004.00000020.sdmpString found in binary or memory: https://77.220.64.37/B
Source: regsvr32.exe, 00000012.00000003.917292709.00000000031AD000.00000004.00000001.sdmpString found in binary or memory: https://77.220.64.37/F
Source: regsvr32.exe, 00000010.00000002.982201012.00000000008D5000.00000004.00000001.sdmpString found in binary or memory: https://77.220.64.37/H
Source: regsvr32.exe, 00000012.00000003.917292709.00000000031AD000.00000004.00000001.sdmpString found in binary or memory: https://77.220.64.37/O
Source: regsvr32.exe, 00000012.00000003.936022022.00000000031AF000.00000004.00000001.sdmpString found in binary or memory: https://77.220.64.37/S
Source: regsvr32.exe, 00000012.00000003.894507082.00000000031A8000.00000004.00000001.sdmpString found in binary or memory: https://77.220.64.37/W
Source: regsvr32.exe, 00000012.00000003.917292709.00000000031AD000.00000004.00000001.sdmpString found in binary or memory: https://77.220.64.37/X
Source: regsvr32.exe, 00000012.00000003.906838132.00000000031A8000.00000004.00000001.sdmpString found in binary or memory: https://77.220.64.37/b
Source: regsvr32.exe, 00000012.00000003.917292709.00000000031AD000.00000004.00000001.sdmpString found in binary or memory: https://77.220.64.37/c
Source: regsvr32.exe, 00000012.00000003.958125909.00000000031AD000.00000004.00000001.sdmpString found in binary or memory: https://77.220.64.37/c=
Source: regsvr32.exe, 00000012.00000003.906838132.00000000031A8000.00000004.00000001.sdmpString found in binary or memory: https://77.220.64.37/cW
Source: regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmpString found in binary or memory: https://77.220.64.37/cb
Source: regsvr32.exe, 00000010.00000002.1036478024.0000000004944000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.917292709.00000000031AD000.00000004.00000001.sdmpString found in binary or memory: https://77.220.64.37/e
Source: regsvr32.exe, 00000012.00000003.890960750.00000000031AC000.00000004.00000001.sdmpString found in binary or memory: https://77.220.64.37/l
Source: regsvr32.exe, 00000012.00000003.906838132.00000000031A8000.00000004.00000001.sdmpString found in binary or memory: https://77.220.64.37/nd-point:
Source: regsvr32.exe, 00000012.00000003.898757958.00000000031AD000.00000004.00000001.sdmpString found in binary or memory: https://77.220.64.37/nd-point:J
Source: regsvr32.exe, 00000012.00000003.958125909.00000000031AD000.00000004.00000001.sdmpString found in binary or memory: https://77.220.64.37/si
Source: regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmpString found in binary or memory: https://77.220.64.37/si(
Source: regsvr32.exe, 00000012.00000003.980149370.000000000319B000.00000004.00000001.sdmpString found in binary or memory: https://77.220.64.37/si3
Source: regsvr32.exe, 00000012.00000003.980149370.000000000319B000.00000004.00000001.sdmpString found in binary or memory: https://77.220.64.37/si=
Source: regsvr32.exe, 00000012.00000003.978520541.0000000003185000.00000004.00000001.sdmpString found in binary or memory: https://77.86.91.27:3308/
Source: regsvr32.exe, 00000012.00000002.992736371.0000000003185000.00000004.00000020.sdmpString found in binary or memory: https://80.220.64.37/
Source: regsvr32.exe, 00000010.00000002.1036478024.0000000004944000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.884237810.00000000031AF000.00000004.00000001.sdmpString found in binary or memory: https://80.86.91.27/
Source: regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmpString found in binary or memory: https://80.86.91.27/A
Source: regsvr32.exe, 00000012.00000003.884237810.00000000031AF000.00000004.00000001.sdmpString found in binary or memory: https://80.86.91.27/s
Source: regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmpString found in binary or memory: https://80.86.91.27/~
Source: regsvr32.exe, 00000010.00000003.872389085.0000000000866000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.958125909.00000000031AD000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.925027011.00000000031AE000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.903292509.00000000031AD000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.922794583.00000000031AD000.00000004.00000001.sdmpString found in binary or memory: https://80.86.91.27:3308/
Source: regsvr32.exe, 00000012.00000003.925027011.00000000031AE000.00000004.00000001.sdmpString found in binary or memory: https://80.86.91.27:3308/(
Source: regsvr32.exe, 00000012.00000003.962590797.000000000317E000.00000004.00000001.sdmpString found in binary or memory: https://80.86.91.27:3308/-
Source: regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmpString found in binary or memory: https://80.86.91.27:3308/.dll
Source: regsvr32.exe, 00000012.00000003.894507082.00000000031A8000.00000004.00000001.sdmpString found in binary or memory: https://80.86.91.27:3308//
Source: regsvr32.exe, 00000012.00000003.958125909.00000000031AD000.00000004.00000001.sdmpString found in binary or memory: https://80.86.91.27:3308//x
Source: regsvr32.exe, 00000012.00000003.974657502.00000000031A4000.00000004.00000001.sdmpString found in binary or memory: https://80.86.91.27:3308/0
Source: regsvr32.exe, 00000012.00000003.890960750.00000000031AC000.00000004.00000001.sdmpString found in binary or memory: https://80.86.91.27:3308/220.64.37
Source: regsvr32.exe, 00000012.00000003.958125909.00000000031AD000.00000004.00000001.sdmpString found in binary or memory: https://80.86.91.27:3308/3
Source: regsvr32.exe, 00000012.00000003.941475415.00000000031AD000.00000004.00000001.sdmpString found in binary or memory: https://80.86.91.27:3308/8
Source: regsvr32.exe, 00000012.00000003.894507082.00000000031A8000.00000004.00000001.sdmpString found in binary or memory: https://80.86.91.27:3308/99f5f57b9aM
Source: regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmpString found in binary or memory: https://80.86.91.27:3308/D
Source: regsvr32.exe, 00000012.00000003.958125909.00000000031AD000.00000004.00000001.sdmpString found in binary or memory: https://80.86.91.27:3308/H
Source: regsvr32.exe, 00000012.00000003.974657502.00000000031A4000.00000004.00000001.sdmpString found in binary or memory: https://80.86.91.27:3308/P
Source: regsvr32.exe, 00000012.00000003.958125909.00000000031AD000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.903292509.00000000031AD000.00000004.00000001.sdmpString found in binary or memory: https://80.86.91.27:3308/anced
Source: regsvr32.exe, 00000012.00000003.980149370.000000000319B000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.898757958.00000000031AD000.00000004.00000001.sdmpString found in binary or memory: https://80.86.91.27:3308/crosoft
Source: regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmpString found in binary or memory: https://80.86.91.27:3308/h
Source: regsvr32.exe, 00000012.00000003.906838132.00000000031A8000.00000004.00000001.sdmpString found in binary or memory: https://80.86.91.27:3308/h1
Source: regsvr32.exe, 00000012.00000003.978555876.00000000031A4000.00000004.00000001.sdmpString found in binary or memory: https://80.86.91.27:3308/p
Source: regsvr32.exe, 00000012.00000003.980149370.000000000319B000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.906838132.00000000031A8000.00000004.00000001.sdmpString found in binary or memory: https://80.86.91.27:3308/r
Source: regsvr32.exe, 00000012.00000003.906838132.00000000031A8000.00000004.00000001.sdmpString found in binary or memory: https://80.86.91.27:3308/rX
Source: regsvr32.exe, 00000012.00000003.980149370.000000000319B000.00000004.00000001.sdmpString found in binary or memory: https://80.86.91.27:3308/raphy
Source: regsvr32.exe, 00000012.00000003.980149370.000000000319B000.00000004.00000001.sdmpString found in binary or memory: https://80.86.91.27:3308/rh
Source: regsvr32.exe, 00000012.00000003.925027011.00000000031AE000.00000004.00000001.sdmpString found in binary or memory: https://80.86.91.27:3308/x
Source: regsvr32.exe, 00000010.00000003.888569929.0000000000866000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.941475415.00000000031AD000.00000004.00000001.sdmpString found in binary or memory: https://80100.228.233:3389/
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.drString found in binary or memory: https://api.aadrm.com/
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.drString found in binary or memory: https://api.cortana.ai
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.drString found in binary or memory: https://api.diagnostics.office.com
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.drString found in binary or memory: https://api.office.net
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.drString found in binary or memory: https://api.onedrive.com
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.drString found in binary or memory: https://apis.live.net/v5.0/
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.drString found in binary or memory: https://augloop.office.com
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.drString found in binary or memory: https://augloop.office.com/v2
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: mkmanoo.dll.0.drString found in binary or memory: https://bulksms.interweblimited.com
Source: mkmanoo.dll.0.drString found in binary or memory: https://bulksms.interweblimited.com/svg/404.svg);
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.drString found in binary or memory: https://cdn.entity.
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.drString found in binary or memory: https://clients.config.office.net/
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.drString found in binary or memory: https://config.edge.skype.com
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.drString found in binary or memory: https://contentstorage.omex.office.net/addinclassifier/officeentities
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.drString found in binary or memory: https://contentstorage.omex.office.net/addinclassifier/officeentitiesupdated
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.drString found in binary or memory: https://cortana.ai
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.drString found in binary or memory: https://cortana.ai/api
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.drString found in binary or memory: https://cr.office.com
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.drString found in binary or memory: https://dataservice.o365filtering.com
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.drString found in binary or memory: https://dev.cortana.ai
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.drString found in binary or memory: https://devnull.onenote.com
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.drString found in binary or memory: https://directory.services.
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.drString found in binary or memory: https://excel.uservoice.com/forums/3049