Loading ...

Play interactive tourEdit tour

Windows Analysis Report http://zindagidesire.org/quodoptio/omnissunt-6533473

Overview

General Information

Sample URL:http://zindagidesire.org/quodoptio/omnissunt-6533473
Analysis ID:528479
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: Microsoft Office Product Spawning Windows Shell
Document exploit detected (process start blacklist hit)
Yara detected hidden Macro 4.0 in Excel
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Tries to load missing DLLs
May sleep (evasive loops) to hinder dynamic analysis
Detected potential crypto function
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • chrome.exe (PID: 6676 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --enable-automation "http://zindagidesire.org/quodoptio/omnissunt-6533473 MD5: C139654B5C1438A95B321BB01AD63EF6)
    • chrome.exe (PID: 6904 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1576,4247150022949698433,15184573980368063471,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1920 /prefetch:8 MD5: C139654B5C1438A95B321BB01AD63EF6)
    • chrome.exe (PID: 6876 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1576,4247150022949698433,15184573980368063471,131072 --lang=en-US --service-sandbox-type=none --enable-audio-service-sandbox --mojo-platform-channel-handle=3368 /prefetch:8 MD5: C139654B5C1438A95B321BB01AD63EF6)
    • unarchiver.exe (PID: 4624 cmdline: C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\omnissunt-6533473.zip MD5: 1BFD96908AB2C114F24ABAF0CB630007)
      • 7za.exe (PID: 2984 cmdline: C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\yiopw1wm.acj" "C:\Users\user\Downloads\omnissunt-6533473.zip MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)
        • conhost.exe (PID: 5832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 5140 cmdline: cmd.exe" /C "C:\Users\user\AppData\Local\Temp\yiopw1wm.acj\favor-331256589.xls MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 4340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • EXCEL.EXE (PID: 2960 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /dde MD5: 5D6638F2C8F8571C593999C58866007E)
          • regsvr32.exe (PID: 5048 cmdline: "C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx MD5: 426E7499F6A7346F0410DEAD0805586B)
          • regsvr32.exe (PID: 5056 cmdline: "C:\Windows\System32\regsvr32.exe" C:\Datop\bestb.ocx MD5: 426E7499F6A7346F0410DEAD0805586B)
          • regsvr32.exe (PID: 712 cmdline: "C:\Windows\System32\regsvr32.exe" C:\Datop\bestc.ocx MD5: 426E7499F6A7346F0410DEAD0805586B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\yiopw1wm.acj\favor-331256589.xlsSUSP_Excel4Macro_AutoOpenDetects Excel4 macro use with auto open / closeJohn Lambert @JohnLaTwC
  • 0x0:$header_docf: D0 CF 11 E0
  • 0x3b2aa:$s1: Excel
  • 0x3c378:$s1: Excel
  • 0x3521:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A
C:\Users\user\AppData\Local\Temp\yiopw1wm.acj\favor-331256589.xlsJoeSecurity_HiddenMacroYara detected hidden Macro 4.0 in ExcelJoe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: "C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx, CommandLine: "C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /dde, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 2960, ProcessCommandLine: "C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx, ProcessId: 5048

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\DictionariesJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdicJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
    Source: unknownHTTPS traffic detected: 108.179.253.213:443 -> 192.168.2.3:49803 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 103.53.42.241:443 -> 192.168.2.3:49804 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.4.29.152:443 -> 192.168.2.3:49805 version: TLS 1.2

    Software Vulnerabilities:

    barindex
    Document exploit detected (process start blacklist hit)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe
    Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 019309B7h6_2_019302A8
    Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 019309B6h6_2_019302A8
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 25 Nov 2021 10:04:01 GMTContent-Type: text/html; charset=UTF-8Content-Length: 157x-powered-by: PHP/7.4.25set-cookie: PHPSESSID=459f13144c1235550078ac9c92f00c00; path=/expires: Thu, 19 Nov 1981 08:52:00 GMTcache-control: no-store, no-cache, must-revalidatepragma: no-cachecontent-encoding: gzipvary: Accept-Encodingx-turbo-charged-by: LiteSpeedData Raw: 1f 8b 08 00 00 00 00 00 00 03 2d 8e 41 0e 82 30 10 45 af d2 74 53 58 d8 1e c0 a1 89 26 2e 3c 81 eb d2 69 64 02 74 0a 0c 24 78 7a 03 ba 7b f9 8b f7 1f 74 32 0e 1e 5a c6 dd 03 d2 a6 08 1b 9d 7b ad 50 2e b9 6f b4 9b 56 46 2e 42 ec 62 17 66 59 ec 87 8a f6 e0 90 36 0f 4b 9c a9 88 1f 38 06 21 ce b6 04 e9 72 18 93 6a 14 72 5c c7 94 c5 be 93 3c 86 74 e0 7d 7f 62 65 72 6f ea 63 bc 89 cc d4 ae 92 2a 73 7e 99 fa 0a ee 2f 04 f7 0b 72 67 dd 2b 90 58 6b bf 89 48 4c 09 ab 00 00 00 Data Ascii: -A0EtSX&.<idt$xz{t2Z{P.oVF.BbfY6K8!rjr\<t}beroc*s~/rg+XkHL
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
    Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49804 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49803 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49805
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49804
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49803
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
    Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/htmlCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0Server: BitNinja Captcha ServerDate: Thu, 25 Nov 2021 10:03:54 GMTContent-Length: 13768Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6a 6f 6f 6d 6c 61 2c 20 4a 6f 6f 6d 6c 61 2c 20 6a 6f 6f 6d 6c 61 20 31 2e 35 2c 20 77 6f 72 64 70 72 65 73 73 20 32 2e 35 2c 20 44 72 75 70 61 6c 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4a 6f 6f 6d 6c 61 21 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 65 6e 65 72 61 74 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 4a 6f 6f 6d 6c 61 21 20 31 2e 35 20 2d 20 4f 70 65 6e 20 53 6f 75 72 63 65 20 43 6f 6e 74 65 6e 74 20 4d 61 6e 61 67 65 6d 65 6e 74 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 65 6e 65 72 61 74 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 57 6f 72 64 50 72 65 73 73 20 32 2e 35 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 57 61 69 74 69 6e 67 20 66 6f 72 20 74 68 65 20 72 65 64 69 72 65 63 74 69 72 6f 6e 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 20 7b 77 69 64 74 68 3a 20 31 30 30 25 3b 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 20 6d 61 72 67 69 6e 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 7d 0a 20 20 20 20 20
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0Server: BitNinja Captcha ServerDate: Thu, 25 Nov 2021 10:03:54 GMTContent-Length: 0Connection: close
    Source: angular.js.1.drString found in binary or memory: http://angularjs.org
    Source: angular.js.1.drString found in binary or memory: http://errors.angularjs.org/1.6.4-local
    Source: pnacl_public_x86_64_pnacl_sz_nexe.1.drString found in binary or memory: http://llvm.org/):
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
    Source: mirroring_hangouts.js.1.drString found in binary or memory: http://tools.ietf.org/html/rfc1950
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: http://weather.service.msn.com/data.aspx
    Source: mirroring_hangouts.js.1.drString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
    Source: mirroring_hangouts.js.1.drString found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions
    Source: mirroring_hangouts.js.1.drString found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01
    Source: Current Session.1.drString found in binary or memory: http://zindagidesire.org
    Source: 000003.log2.1.dr, data_1.3.dr, omnissunt-6533473.zip_Zone.Identifier.5.drString found in binary or memory: http://zindagidesire.org/quodoptio/charts.zip
    Source: History.1.drString found in binary or memory: http://zindagidesire.org/quodoptio/charts.zip8
    Source: Current Session.1.dr, omnissunt-6533473.zip_Zone.Identifier.5.drString found in binary or memory: http://zindagidesire.org/quodoptio/omnissunt-6533473
    Source: 000003.log2.1.drString found in binary or memory: http://zindagidesire.org/quodoptio/omnissunt-65334730
    Source: 000003.log2.1.drString found in binary or memory: http://zindagidesire.org/quodoptio/omnissunt-65334730BJP
    Source: 000003.log2.1.drString found in binary or memory: http://zindagidesire.org/quodoptio/omnissunt-65334730BJPZ
    Source: History Provider Cache.1.drString found in binary or memory: http://zindagidesire.org/quodoptio/omnissunt-65334732
    Source: Current Session.1.drString found in binary or memory: http://zindagidesire.org/quodoptio/omnissunt-6533473T
    Source: History.1.drString found in binary or memory: http://zindagidesire.org/quodoptio/omnissunt-6533473Waiting
    Source: History.1.drString found in binary or memory: http://zindagidesire.org/quodoptio/omnissunt-6533473http://zindagidesire.org/quodoptio/omnissunt-653
    Source: manifest.json0.1.dr, 0e2691ed-06ce-4f9d-8065-c08bb9372d60.tmp.3.dr, 6c1598f5-9cf3-459f-8559-e2cc0c5a8f0b.tmp.3.drString found in binary or memory: https://accounts.google.com
    Source: craw_window.js.1.drString found in binary or memory: https://accounts.google.com/MergeSession
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://analysis.windows.net/powerbi/api
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://api.aadrm.com
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://api.aadrm.com/
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://api.addins.store.office.com/app/query
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://api.cortana.ai
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://api.diagnostics.office.com
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://api.diagnosticssdf.office.com
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://api.microsoftstream.com/api/
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://api.office.net
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://api.onedrive.com
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
    Source: manifest.json0.1.dr, 0e2691ed-06ce-4f9d-8065-c08bb9372d60.tmp.3.dr, 6c1598f5-9cf3-459f-8559-e2cc0c5a8f0b.tmp.3.drString found in binary or memory: https://apis.google.com
    Source: mirroring_common.js.1.drString found in binary or memory: https://apis.google.com/js/client.js
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://apis.live.net/v5.0/
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://arc.msn.com/v4/api/selection
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://augloop.office.com
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://augloop.office.com/v2
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://autodiscover-s.outlook.com/
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
    Source: Current Session.1.drString found in binary or memory: https://bitninja.io/
    Source: Current Session.1.drString found in binary or memory: https://bitninja.io/t
    Source: Current Session.1.drString found in binary or memory: https://bitninja.io/uK
    Source: mirroring_common.js.1.drString found in binary or memory: https://castedumessaging-pa.googleapis.com/v1
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://cdn.entity.
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
    Source: pnacl_public_x86_64_libcrt_platform_a.1.drString found in binary or memory: https://chromium.googlesource.com/a/native_client/pnacl-clang.git
    Source: pnacl_public_x86_64_libcrt_platform_a.1.drString found in binary or memory: https://chromium.googlesource.com/a/native_client/pnacl-llvm.git
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://clients.config.office.net/
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
    Source: 0e2691ed-06ce-4f9d-8065-c08bb9372d60.tmp.3.dr, 6c1598f5-9cf3-459f-8559-e2cc0c5a8f0b.tmp.3.drString found in binary or memory: https://clients2.google.com
    Source: mirroring_hangouts.js.1.drString found in binary or memory: https://clients2.google.com/cr/report
    Source: manifest.json0.1.dr, manifest.json.1.dr, manifest.json1.1.drString found in binary or memory: https://clients2.google.com/service/update2/crx
    Source: 0e2691ed-06ce-4f9d-8065-c08bb9372d60.tmp.3.dr, 6c1598f5-9cf3-459f-8559-e2cc0c5a8f0b.tmp.3.drString found in binary or memory: https://clients2.googleusercontent.com
    Source: mirroring_hangouts.js.1.drString found in binary or memory: https://clients6.google.com
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
    Source: pnacl_public_x86_64_ld_nexe.1.drString found in binary or memory: https://code.google.com/p/nativeclient/issues/entry
    Source: pnacl_public_x86_64_ld_nexe.1.drString found in binary or memory: https://code.google.com/p/nativeclient/issues/entry%s:
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://config.edge.skype.com
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
    Source: manifest.json0.1.drString found in binary or memory: https://content.googleapis.com
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://cortana.ai
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://cortana.ai/api
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://cr.office.com
    Source: common.js.1.dr, mirroring_cast_streaming.js.1.drString found in binary or memory: https://crash.corp.google.com/samples?reportid=&q=
    Source: mirroring_hangouts.js.1.drString found in binary or memory: https://creativecommons.org/publicdomain/zero/1.0/.
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://dataservice.o365filtering.com
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://dataservice.o365filtering.com/
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://dev.cortana.ai
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://devnull.onenote.com
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://directory.services.
    Source: 0e2691ed-06ce-4f9d-8065-c08bb9372d60.tmp.3.dr, 6c1598f5-9cf3-459f-8559-e2cc0c5a8f0b.tmp.3.dr, 2a7aed8c-4eda-40e5-b19d-b48f80025ee3.tmp.3.dr, 48f98a2f-5bb4-4d43-b4ab-b2450b661240.tmp.3.drString found in binary or memory: https://dns.google
    Source: mirroring_common.js.1.drString found in binary or memory: https://docs.google.com
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://ecs.office.com/config/v2/Office
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://enrichment.osi.office.net/
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://entitlement.diagnostics.office.com
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
    Source: manifest.json0.1.drString found in binary or memory: https://feedback.googleusercontent.com
    Source: 0e2691ed-06ce-4f9d-8065-c08bb9372d60.tmp.3.drString found in binary or memory: https://fonts.googleapis.com
    Source: manifest.json0.1.drString found in binary or memory: https://fonts.googleapis.com;
    Source: 0e2691ed-06ce-4f9d-8065-c08bb9372d60.tmp.3.dr, 6c1598f5-9cf3-459f-8559-e2cc0c5a8f0b.tmp.3.drString found in binary or memory: https://fonts.gstatic.com
    Source: manifest.json0.1.drString found in binary or memory: https://fonts.gstatic.com;
    Source: angular.js.1.dr, material_css_min.css.1.drString found in binary or memory: https://github.com/angular/material
    Source: craw_background.js.1.dr, craw_window.js.1.drString found in binary or memory: https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.p
    Source: mirroring_hangouts.js.1.drString found in binary or memory: https://github.com/madler/zlib/blob/master/zlib.h
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://globaldisco.crm.dynamics.com
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://graph.ppe.windows.net
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://graph.ppe.windows.net/
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://graph.windows.net
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://graph.windows.net/
    Source: mirroring_hangouts.js.1.drString found in binary or memory: https://hangouts.clients6.google.com
    Source: manifest.json0.1.drString found in binary or memory: https://hangouts.google.com/
    Source: mirroring_hangouts.js.1.drString found in binary or memory: https://hangouts.google.com/hangouts/_/logpref
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&amp;premium=1
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&amp;premium=1
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&amp;premium=1
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://incidents.diagnostics.office.com
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://inclient.store.office.com/gyro/client
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://lifecycle.office.com
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://login.microsoftonline.com/
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://login.windows.local
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://management.azure.com
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://management.azure.com/
    Source: mirroring_common.js.1.drString found in binary or memory: https://meet.google.com
    Source: mirroring_hangouts.js.1.drString found in binary or memory: https://meetings.clients6.google.com
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://messaging.office.com/
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://ncus.contentsync.
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://ncus.pagecontentsync.
    Source: mirroring_common.js.1.drString found in binary or memory: https://networktraversal.googleapis.com/v1alpha
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://officeapps.live.com
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://officeci.azurewebsites.net/api/
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
    Source: 0e2691ed-06ce-4f9d-8065-c08bb9372d60.tmp.3.dr, 6c1598f5-9cf3-459f-8559-e2cc0c5a8f0b.tmp.3.drString found in binary or memory: https://ogs.google.com
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://onedrive.live.com
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://onedrive.live.com/embed?
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://osi.office.net
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://otelrules.azureedge.net
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://outlook.office.com
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://outlook.office.com/
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://outlook.office365.com
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://outlook.office365.com/
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://pages.store.office.com/review/query
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
    Source: manifest.json.1.dr, craw_window.js.1.drString found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
    Source: 0e2691ed-06ce-4f9d-8065-c08bb9372d60.tmp.3.dr, 6c1598f5-9cf3-459f-8559-e2cc0c5a8f0b.tmp.3.drString found in binary or memory: https://play.google.com
    Source: mirroring_hangouts.js.1.drString found in binary or memory: https://play.google.com/log?format=json&hasfast=true
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://powerlift.acompli.net
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
    Source: mirroring_hangouts.js.1.drString found in binary or memory: https://preprod-hangouts-googleapis.sandbox.google.com
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
    Source: 6c1598f5-9cf3-459f-8559-e2cc0c5a8f0b.tmp.3.drString found in binary or memory: https://r2---sn-4g5e6nz7.gvt1.com
    Source: data_1.3.drString found in binary or memory: https://r2---sn-4g5e6nz7.gvt1.com/edgedl/chrome/dict/en-us-9-0.bdic?cms_redirect=yes&mh=I2&mip=84.17
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
    Source: 6c1598f5-9cf3-459f-8559-e2cc0c5a8f0b.tmp.3.drString found in binary or memory: https://redirector.gvt1.com
    Source: data_1.3.drString found in binary or memory: https://redirector.gvt1.com/edgedl/chrome/dict/en-us-9-0.bdic
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://roaming.edog.
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
    Source: manifest.json.1.dr, craw_window.js.1.drString found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://settings.outlook.com
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://shell.suite.office.com:1443
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://skyapi.live.net/Activity/
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
    Source: 0e2691ed-06ce-4f9d-8065-c08bb9372d60.tmp.3.dr, 6c1598f5-9cf3-459f-8559-e2cc0c5a8f0b.tmp.3.drString found in binary or memory: https://ssl.gstatic.com
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://staging.cortana.ai
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://store.office.cn/addinstemplate
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://store.office.de/addinstemplate
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
    Source: messages.json83.1.dr, messages.json40.1.dr, messages.json52.1.dr, feedback.html.1.dr, messages.json80.1.dr, messages.json22.1.dr, messages.json77.1.dr, messages.json34.1.dr, messages.json54.1.dr, messages.json10.1.dr, messages.json21.1.dr, messages.json61.1.dr, messages.json9.1.dr, messages.json62.1.dr, messages.json85.1.dr, messages.json41.1.dr, messages.json20.1.dr, messages.json24.1.dr, messages.json8.1.dr, messages.json87.1.dr, messages.json86.1.dr, messages.json69.1.dr, messages.json1.1.dr, messages.json15.1.dr, messages.json33.1.dr, messages.json84.1.dr, messages.json49.1.dr, messages.json70.1.dr, messages.json23.1.dr, messages.json50.1.dr, messages.json25.1.dr, messages.json68.1.dr, messages.json53.1.dr, messages.json12.1.dr, messages.json79.1.dr, messages.json32.1.dr, messages.json2.1.dr, messages.json55.1.dr, messages.json82.1.dr, messages.json81.1.dr, messages.json42.1.dr, messages.json78.1.dr, messages.json31.1.dr, messages.json0.1.dr, messages.json11.1.dr, messages.json.1.dr, messages.json13.1.dr, messages.json14.1.drString found in binary or memory: https://support.google.com/chromecast/answer/2998456
    Source: messages.json83.1.dr, messages.json40.1.dr, messages.json52.1.dr, feedback.html.1.dr, messages.json80.1.dr, messages.json22.1.dr, messages.json77.1.dr, messages.json34.1.dr, messages.json54.1.dr, messages.json10.1.dr, messages.json21.1.dr, messages.json61.1.dr, messages.json9.1.dr, messages.json62.1.dr, messages.json85.1.dr, messages.json41.1.dr, messages.json20.1.dr, messages.json24.1.dr, messages.json8.1.dr, messages.json87.1.dr, messages.json86.1.dr, messages.json69.1.dr, messages.json1.1.dr, messages.json15.1.dr, messages.json33.1.dr, messages.json84.1.dr, messages.json49.1.dr, messages.json70.1.dr, messages.json23.1.dr, messages.json50.1.dr, messages.json25.1.dr, messages.json68.1.dr, messages.json53.1.dr, messages.json12.1.dr, messages.json79.1.dr, messages.json32.1.dr, messages.json2.1.dr, messages.json55.1.dr, messages.json82.1.dr, messages.json81.1.dr, messages.json42.1.dr, messages.json78.1.dr, messages.json31.1.dr, messages.json0.1.dr, messages.json11.1.dr, messages.json.1.dr, messages.json13.1.dr, messages.json14.1.drString found in binary or memory: https://support.google.com/chromecast/troubleshooter/2995236
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://tasks.office.com
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
    Source: D6F41213-C6D7-4EB1-8034-D361F5012CBF.12.drString found in binary o