Windows Analysis Report counter-1248368226.xls

Overview

General Information

Sample Name:	counter-1248368226.xls
Analysis ID:	532597
MD5:	30a0db47a66a3d3173457755bb166529
SHA1:	c852a219defe8ab726b72f8792386e35428b46dc
SHA256:	bdd97906934a97d1081e68ac8f71c98a169c4af705c17b73b69b3649df216885
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Multi AV Scanner detection for submitted file

Antivirus detection for URL or domain

Sigma detected: Microsoft Office Product Spawning Windows Shell

Document exploit detected (process start blacklist hit)

Document exploit detected (UrlDownloadToFile)

Yara detected hidden Macro 4.0 in Excel

Yara signature match

Found a hidden Excel 4.0 Macro sheet

Potential document exploit detected (unknown TCP traffic)

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Detected potential crypto function

Document contains embedded VBA macros

JA3 SSL client fingerprint seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

IP address seen in connection with other malware

Document misses a certain OLE stream usually present in this Microsoft Office document type

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: counter-1248368226.xls

ReversingLabs: Detection: 40%

Antivirus detection for URL or domain

Source: https://playsis.com.br/qJSL1BN5V/tiynh.html	Avira URL Cloud: Label: malware
Source: https://playsis.com.br/	Avira URL Cloud: Label: malware
Source: https://playsis.com.br/R	Avira URL Cloud: Label: malware
Source: https://playsis.com.br/qJSL1BNs	Avira URL Cloud: Label: malware
Source: https://playsis.com.br/qJSL1BN5V/tiynh.htmlvn/TSh7GBeIR/tiynh.html	Avira URL Cloud: Label: malware

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 108.179.192.98:443 -> 192.168.2.3:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 103.28.36.171:443 -> 192.168.2.3:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.241.2.78:443 -> 192.168.2.3:49745 version: TLS 1.2

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Process created: C:\Windows\SysWOW64\regsvr32.exe

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Section loaded: unknown origin: URLDownloadToFileA

Jump to behavior

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.3:49743 -> 108.179.192.98:443

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: greenflag.esp.br

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.3:49743 -> 108.179.192.98:443

Networking:

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /yuINdRbM/tiynh.html HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: greenflag.esp.brConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /TSh7GBeIR/tiynh.html HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: noithat117.vnConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /qJSL1BN5V/tiynh.html HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: playsis.com.brConnection: Keep-Alive

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 162.241.2.78 162.241.2.78
Source: Joe Sandbox View	IP Address: 108.179.192.98 108.179.192.98
Source: Joe Sandbox View	IP Address: 103.28.36.171 103.28.36.171

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: EXCEL.EXE, 00000001.00000003.476275279.000000000FE23000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.488859590.000000000FE23000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.467843202.000000000FE23000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.462582747.000000000FE23000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.419978341.000000000FE23000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.340031882.000000000FE23000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.610899653.000000000FE23000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides/O
Source: EXCEL.EXE, 00000001.00000002.608087011.000000000E08E000.00000004.00000001.sdmp	String found in binary or memory: http://purl.oclc.org/ooxml/drawingml/diagram
Source: EXCEL.EXE, 00000001.00000002.608049076.000000000E06A000.00000004.00000001.sdmp	String found in binary or memory: http://purl.oclc.org/ooxml/drawingml/tabler
Source: EXCEL.EXE, 00000001.00000003.469607881.0000000016ABE000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.470048142.000000001690E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.455964384.0000000016B06000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.455940301.0000000016AD6000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.open
Source: EXCEL.EXE, 00000001.00000003.469607881.0000000016ABE000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.470048142.000000001690E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.455964384.0000000016B06000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.455940301.0000000016AD6000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.openformatrg/package/2006/r
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: http://weather.service.msn.com/data.aspxNS
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging1
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmp	String found in binary or memory: https://addinsinstallation.store.office.com/app/downloade
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticatedB
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalledMBI_SSL_SHORT
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated6
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://addinslicensing.store.office.com/commerce/queryv
Source: EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://analysis.windows.net/powerbi/apiE
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://api.aadrm.com
Source: EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://api.aadrm.com/
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://api.addins.omex.office.net/appinfo/queryg
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://api.cortana.ai
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://api.diagnostics.office.com?V
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://api.diagnostics.office.comHV
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp	String found in binary or memory: https://api.diagnostics.office.comhuc
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://api.microsoftstream.com/api/nt9H
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://api.office.net
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://api.office.net&s
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://api.office.net/s
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://api.office.net9rh
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://api.office.net=sl
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://api.office.netLr
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://api.office.netls
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://api.office.netyp(
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://api.office.netzs
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://api.onedrive.com
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp	String found in binary or memory: https://api.onedrive.comMBI
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://api.onedrive.comce
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groupsu
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://apis.live.net/v5.0/S
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/S2
Source: EXCEL.EXE	String found in binary or memory: https://augloop.dod.online.office365.us
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://augloop.office.com
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://augloop.office.com%
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://augloop.office.com/v2
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.470099621.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.340254925.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.291670975.000000000FEA2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.488934838.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.461355081.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.467269536.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.493139849.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.490225001.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.475810638.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.491199060.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.610983542.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.419576881.000000000FEA0000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: EXCEL.EXE, 00000001.00000003.488654985.000000000FD75000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.475934601.000000000FD75000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.467719465.000000000FD75000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.461793870.000000000FD75000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.489721327.000000000FD75000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.610610633.000000000FD75000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlW
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://cdn.entity.
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.odc.officeapps.live.c
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.pngOutlookConnectorManifesthttps:
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpselllOh
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsellLiveProfileServicehttps
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://client-office365-tas.msedge.net/abuc
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://clients.config.office.net/
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://clients.config.office.net/4K
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp	String found in binary or memory: https://clients.config.office.net/Bearer
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp	String found in binary or memory: https://clients.config.office.net/https://loguc
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policieshttps://login.windows.net/common/oauth2/
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp	String found in binary or memory: https://clients.config.office.net/user/v1.0/iosBearer
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp	String found in binary or memory: https://clients.config.office.net/user/v1.0/ioshtt
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp	String found in binary or memory: https://clients.config.office.net/user/v1.0/macBearer
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp	String found in binary or memory: https://clients.config.office.net/user/v1.0/machttps://login.windows.net/common/oauth2/authorize
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkeyL
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://config.edge.skype.com
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://config.edge.skype.com/config/v2/Officeb
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://cortana.ai
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://cortana.ai/api
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://cortana.ai/api-Y
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://cortana.aiIY
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://cortana.aietl
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://cr.office.com
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://dataservice.o365filtering.com-L
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmp	String found in binary or memory: https://dataservice.o365filtering.com/4
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://dataservice.o365filtering.com6L
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://dataservice.o365filtering.comLL
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://dataservice.o365filtering.comPI
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://dataservice.o365filtering.comUV
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://dataservice.o365filtering.comxLu
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: EXCEL.EXE, 00000001.00000003.340165432.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.476324827.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.488905407.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.462619600.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.610948124.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.490100931.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.467872426.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.420012413.000000000FE6F000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://dev.cortana.ai
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://dev.cortana.ai2Y
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/H
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://devnull.onenote.com
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://devnull.onenote.comt
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://directory.services.
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://enrichment.osi.office.net/)V
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1G
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json#
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtmlM
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp	String found in binary or memory: https://enrichment.osi.office.net/https://login.windows.net/common/oauth2/authorizeMBI_SSLhttps://os
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://entitlement.diagnosticssdf.office.comq
Source: EXCEL.EXE	String found in binary or memory: https://entity.osi.office.net/
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://entity.osi.office.net/t
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: EXCEL.EXE, 00000001.00000003.470099621.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.340254925.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.291670975.000000000FEA2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.488934838.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.461355081.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.467269536.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.493139849.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.490225001.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.475810638.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.491199060.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.610983542.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.419576881.000000000FEA0000.00000004.00000001.sdmp	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-androidy
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://graph.ppe.windows.net//
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://graph.windows.net
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://graph.windows.net/
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://graph.windows.net/l
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://graph.windows.net/ointZ
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://graph.windows.netse
Source: EXCEL.EXE, 00000001.00000003.526779002.00000000136A7000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611442721.00000000136D7000.00000004.00000001.sdmp	String found in binary or memory: https://greenflag.esp.br/
Source: EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.419668761.00000000167C6000.00000004.00000001.sdmp	String found in binary or memory: https://greenflag.esp.br/yuINdRbM/tiynh.html
Source: EXCEL.EXE, 00000001.00000003.324828323.00000000167C6000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.418599518.00000000167C6000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.419668761.00000000167C6000.00000004.00000001.sdmp	String found in binary or memory: https://greenflag.esp.br/yuINdRbM/tiynh.htmlZd
Source: EXCEL.EXE, 00000001.00000003.526779002.00000000136A7000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611442721.00000000136D7000.00000004.00000001.sdmp	String found in binary or memory: https://greenflag.esp.br/z
Source: EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://hubble.officeapps.live.com
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?B
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: EXCEL.EXE	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: EXCEL.EXE, 00000001.00000003.470099621.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.340254925.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.291670975.000000000FEA2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.488934838.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.461355081.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.467269536.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.493139849.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.490225001.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.475810638.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.491199060.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.610983542.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.419576881.000000000FEA0000.00000004.00000001.sdmp	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1i
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: EXCEL.EXE, 00000001.00000002.611303760.00000000135FB000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://incidents.diagnostics.office.comH
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: EXCEL.EXE	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveApp
Source: EXCEL.EXE, 00000001.00000003.470099621.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.340254925.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.291670975.000000000FEA2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.488934838.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.461355081.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.467269536.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.493139849.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.490225001.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.475810638.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.491199060.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.610983542.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.419576881.000000000FEA0000.00000004.00000001.sdmp	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveAppR
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Binguo
Source: EXCEL.EXE, 00000001.00000003.340165432.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.476324827.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.488905407.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.462619600.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.610948124.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.490100931.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.467872426.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.420012413.000000000FE6F000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: EXCEL.EXE, 00000001.00000003.340165432.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.476324827.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.488905407.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.462619600.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.610948124.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.490100931.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.467872426.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.420012413.000000000FE6F000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrYO
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: EXCEL.EXE, 00000001.00000003.340165432.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.476324827.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.488905407.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.462619600.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.610948124.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.490100931.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.467872426.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.420012413.000000000FE6F000.00000004.00000001.sdmp	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDriveX2i
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmediaq
Source: EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://lifecycle.office.com
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://lifecycle.office.comP
Source: EXCEL.EXE, 00000001.00000003.339645774.0000000013881000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339423306.0000000013879000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.418797301.0000000013879000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.461136291.0000000013879000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.527925109.0000000013879000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611756255.000000001388E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.324103805.0000000013879000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.527045226.0000000013879000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorizeuo
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://login.windows.local
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.localtes
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorizehNd
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize%_3
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize&
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize&Z0
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize-
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize.S8
Source: EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize/
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize7
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize:
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize;
Source: EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize=
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize?S
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeC_
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeD
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeE
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeF
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeG
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeH
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeJ
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeK
Source: EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeM
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeMf
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeOP
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeR
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeS
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeT
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeU
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeW
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeX
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeY
Source: EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeZ
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizea_
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeb
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizec
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizef
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeh
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizei
Source: EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeize
Source: EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizek
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizelQ
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizemP
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizen_
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizep
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizer
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizes
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizesZ
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeteV
Source: EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizex
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizezP
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize~
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmp	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/W
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmp	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1J
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://management.azure.com
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://management.azure.com/
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://management.azure.com/l
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://messaging.office.com/
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log8
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://ncus.contentsync.
Source: EXCEL.EXE, 00000001.00000003.340165432.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.476324827.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.488905407.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.462619600.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.610948124.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.490100931.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.467872426.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.420012413.000000000FE6F000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000002.603652781.0000000002E30000.00000004.00000020.sdmp	String found in binary or memory: https://nexus.officeapps.live.com
Source: EXCEL.EXE, 00000001.00000002.611303760.00000000135FB000.00000004.00000001.sdmp	String found in binary or memory: https://nexus.officeapps.live.com/
Source: EXCEL.EXE	String found in binary or memory: https://nexus.officeapps.live.com/ne
Source: EXCEL.EXE, 00000001.00000003.325048483.0000000016780000.00000004.00000001.sdmp	String found in binary or memory: https://nexus.officeapps.live.com/nete
Source: EXCEL.EXE	String found in binary or memory: https://nexus.officeapps.live.com/nexus/rules
Source: EXCEL.EXE, 00000001.00000002.611407310.00000000136A8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526779002.00000000136A7000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://nexus.officeapps.live.com/nexus/rules?Application=excel.exe&Version=16.0.4954.1000&ClientId=
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://nexus.officeapps.live.com/nexus/rulesn
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://nexus.officeapps.live.comlatesForWord
Source: EXCEL.EXE, 00000001.00000002.612479351.0000000016745000.00000004.00000001.sdmp	String found in binary or memory: https://noithat117.vn/
Source: EXCEL.EXE, 00000001.00000003.324828323.00000000167C6000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526779002.00000000136A7000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.418599518.00000000167C6000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611442721.00000000136D7000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.419668761.00000000167C6000.00000004.00000001.sdmp	String found in binary or memory: https://noithat117.vn/TSh7GBeIR/tiynh.html
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.netW
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://officeapps.live.com
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.com%
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.com)
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.com/
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.com3
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.com5
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.com9
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.com=
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.comC
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.comG
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.comM
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.comQ
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.comS
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.comW
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.comX(
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.coma
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.come
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.comk
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.como
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.comu
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/u
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdatedh
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://onedrive.live.com
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=falseUN
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmp	String found in binary or memory: https://onedrive.live.com/embed?i
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://onedrive.live.comed
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://osi.office.net
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://osi.office.netM&
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://osi.office.netjY
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://osi.office.netst
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://otelrules.azureedge.net
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://otelrules.azureedge.netd
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://outlook.office.com
Source: EXCEL.EXE, 00000001.00000003.488654985.000000000FD75000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.475934601.000000000FD75000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.467719465.000000000FD75000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.461793870.000000000FD75000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.489721327.000000000FD75000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.610610633.000000000FD75000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://outlook.office.com/
Source: EXCEL.EXE, 00000001.00000003.340165432.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.476324827.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.488905407.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.462619600.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.610948124.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.490100931.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.467872426.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.420012413.000000000FE6F000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://outlook.office.comX:
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://outlook.office365.com
Source: EXCEL.EXE, 00000001.00000003.488654985.000000000FD75000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.475934601.000000000FD75000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.467719465.000000000FD75000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.461793870.000000000FD75000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.489721327.000000000FD75000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.610610633.000000000FD75000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://outlook.office365.com/
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json3
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspxI
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.340165432.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.476324827.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.488905407.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.462619600.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.610948124.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.490100931.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.467872426.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.420012413.000000000FE6F000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonMBI_SSLpeople.directory.
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.jsonMBI_SSL_SHORTssl.
Source: EXCEL.EXE, 00000001.00000003.462703099.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.612583630.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.418614920.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.324846454.00000000167D3000.00000004.00000001.sdmp	String found in binary or memory: https://playsis.c
Source: EXCEL.EXE, 00000001.00000003.462703099.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.612583630.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.418614920.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.324846454.00000000167D3000.00000004.00000001.sdmp	String found in binary or memory: https://playsis.com
Source: EXCEL.EXE, 00000001.00000003.462703099.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.612583630.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.418614920.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.324846454.00000000167D3000.00000004.00000001.sdmp	String found in binary or memory: https://playsis.com.b
Source: EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmp	String found in binary or memory: https://playsis.com.br/
Source: EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmp	String found in binary or memory: https://playsis.com.br/R
Source: EXCEL.EXE, 00000001.00000003.462703099.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.612583630.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.418614920.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.324846454.00000000167D3000.00000004.00000001.sdmp	String found in binary or memory: https://playsis.com.br/qJSL1B
Source: EXCEL.EXE, 00000001.00000002.611442721.00000000136D7000.00000004.00000001.sdmp	String found in binary or memory: https://playsis.com.br/qJSL1BN5V/tiynh.html
Source: EXCEL.EXE, 00000001.00000003.462703099.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.612583630.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.418614920.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.324846454.00000000167D3000.00000004.00000001.sdmp	String found in binary or memory: https://playsis.com.br/qJSL1BN5V/tiynh.htmlvn/TSh7GBeIR/tiynh.html
Source: EXCEL.EXE, 00000001.00000003.462703099.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.612583630.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.418614920.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.324846454.00000000167D3000.00000004.00000001.sdmp	String found in binary or memory: https://playsis.com.br/qJSL1BNs
Source: EXCEL.EXE, 00000001.00000003.462703099.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.612583630.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.418614920.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.324846454.00000000167D3000.00000004.00000001.sdmp	String found in binary or memory: https://playsis.com.br/qJSL1n
Source: EXCEL.EXE, 00000001.00000003.462703099.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.612583630.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.418614920.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.324846454.00000000167D3000.00000004.00000001.sdmp	String found in binary or memory: https://playsis.com.br/qJSh
Source: EXCEL.EXE, 00000001.00000003.462703099.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.612583630.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.418614920.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.324846454.00000000167D3000.00000004.00000001.sdmp	String found in binary or memory: https://playsis.com.br/qt
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13db8
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://powerlift.acompli.net
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect)
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://roaming.edog.
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.come
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://settings.outlook.com
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://staging.cortana.ai
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://staging.cortana.airlL?
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://substrate.office.com
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://substrate.office.com/Todo-Internal.ReadWrite
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://substrate.office.com4:
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://substrate.office.com7
Source: EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://substrate.office.comP
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://substrate.office.comR
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://substrate.office.comc:
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://substrate.office.como
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://tasks.office.com
Source: EXCEL.EXE	String found in binary or memory: https://tellmeservice.osi.office.net
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://tellmeservice.osi.office.netst
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmp	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/I
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: EXCEL.EXE, 00000001.00000003.340165432.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.476324827.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.488905407.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.462619600.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.610948124.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.490100931.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.467872426.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.420012413.000000000FE6F000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmp	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devicesV
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://webshell.suite.office.com
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp	String found in binary or memory: https://webshell.suite.office.comOCSettingsCloudPolicyServiceAndroidUrlhttps://clients.config.office
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://webshell.suite.office.comeH
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://wus2.contentsync.
Source: EXCEL.EXE, 00000001.00000003.340165432.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.476324827.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.488905407.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.462619600.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.610948124.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.490100931.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.467872426.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.420012413.000000000FE6F000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://www.odwebp.svc.ms
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://www.odwebp.svc.msomP

Source: unknown

DNS traffic detected: queries for: greenflag.esp.br

Source: global traffic	HTTP traffic detected: GET /yuINdRbM/tiynh.html HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: greenflag.esp.brConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /TSh7GBeIR/tiynh.html HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: noithat117.vnConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /qJSL1BN5V/tiynh.html HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: playsis.com.brConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 108.179.192.98:443 -> 192.168.2.3:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 103.28.36.171:443 -> 192.168.2.3:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.241.2.78:443 -> 192.168.2.3:49745 version: TLS 1.2

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 12	Screenshot OCR: Enable Editing o 18 19 20 ljl PROTECTED VIEW Be careful - files from the Internet can contain vir
Source: Screenshot number: 12	Screenshot OCR: Enable Content 25 26 (D SECURITY WARNING Macros have been disabled. Enable Content 27 28 29 30
Source: Document image extraction number: 0	Screenshot OCR: Enable Editing CD PROTECTED VIEW Be careful - files from the Internet can contain viruses. Unless y
Source: Document image extraction number: 0	Screenshot OCR: Enable Content G) SECURITY WARNING Macros have been disabled. Enable Content If you are using a mo
Source: Document image extraction number: 1	Screenshot OCR: Enable Editing 1 PROTECTED VIEW Be careful - files from the Internet can contain viruses. Unless y
Source: Document image extraction number: 1	Screenshot OCR: Enable Content C9 SECURITY WARNING Macros have been disabled. Enable Content om If you are using a
Source: Screenshot number: 16	Screenshot OCR: Enable Editing o 18 19 20 ljl PROTECTED VIEW Be careful - files from the Internet can contain vir
Source: Screenshot number: 16	Screenshot OCR: Enable Content 25 26 (D SECURITY WARNING Macros have been disabled. Enable Content 27 28 29 30

Yara signature match

Source: counter-1248368226.xls, type: SAMPLE	Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: C:\Users\user\Desktop\counter-1248368226.xls, type: DROPPED	Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f

Found a hidden Excel 4.0 Macro sheet

Source: counter-1248368226.xls	Macro extractor: Sheet name: Bor3
Source: counter-1248368226.xls	Macro extractor: Sheet name: Bor6
Source: counter-1248368226.xls	Macro extractor: Sheet name: Bor2
Source: counter-1248368226.xls	Macro extractor: Sheet name: Bor1
Source: counter-1248368226.xls	Macro extractor: Sheet name: Bor4
Source: counter-1248368226.xls	Macro extractor: Sheet name: Bor5

Tries to load missing DLLs

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior

Detected potential crypto function

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Code function: 1_3_16780CEC		1_3_16780CEC
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Code function: 1_3_0FEA3E79		1_3_0FEA3E79

Document contains embedded VBA macros

Source: counter-1248368226.xls	OLE indicator, VBA macros: true
Source: counter-1248368226.xls.1.dr	OLE indicator, VBA macros: true

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: CC657B23.tmp.1.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: counter-1248368226.xls

ReversingLabs: Detection: 40%

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: counter-1248368226.xls	OLE indicator, Workbook stream: true
Source: counter-1248368226.xls.1.dr	OLE indicator, Workbook stream: true

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\bestb.ocx
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\bestc.ocx
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\bestb.ocx	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\bestc.ocx	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{2D709C6B-06C3-4955-B106-541C202F59AB} - OProcSessId.dat

Jump to behavior

Source: EXCEL.EXE	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: EXCEL.EXE	String found in binary or memory: https://[OMEX.BaseHost]/api/addins/emailtemplate
Source: EXCEL.EXE	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: EXCEL.EXE	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: EXCEL.EXE	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: EXCEL.EXE	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: EXCEL.EXE	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: EXCEL.EXE	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: EXCEL.EXE	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: EXCEL.EXE	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: EXCEL.EXE	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: EXCEL.EXE	String found in binary or memory: https://api.addins.store.office.com/addinstemplate

Source: classification engine

Classification label: mal80.expl.winXLS@7/5@3/4

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Automated click: OK
Source: C:\Windows\SysWOW64\regsvr32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\regsvr32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\regsvr32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source: CC657B23.tmp.1.dr

Initial sample: OLE indicators vbamacros = False

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: EXCEL.EXE, 00000001.00000003.527724456.0000000013706000.00000004.00000001.sdmp	Binary or memory string: Saving imgs.htm. Press ESC to cancel.ESC to cancel.3}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ee,b
Source: EXCEL.EXE, 00000001.00000003.461834280.000000000FD88000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.475951004.000000000FD88000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.489769065.000000000FD88000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.610656942.000000000FD88000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.488673925.000000000FD88000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.467737108.000000000FD88000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.608003887.000000000E024000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW

HIPS / PFW / Operating System Protection Evasion:

Yara detected hidden Macro 4.0 in Excel

Source: Yara match	File source: counter-1248368226.xls, type: SAMPLE
Source: Yara match	File source: C:\Users\user\Desktop\counter-1248368226.xls, type: DROPPED

Source: EXCEL.EXE, 00000001.00000002.605169444.0000000003690000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: EXCEL.EXE, 00000001.00000002.605169444.0000000003690000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: EXCEL.EXE, 00000001.00000002.605169444.0000000003690000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: EXCEL.EXE, 00000001.00000002.605169444.0000000003690000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
162.241.2.78	playsis.com.br	United States	26337	OIS1US	false
108.179.192.98	greenflag.esp.br	United States	46606	UNIFIEDLAYER-AS-1US	false
103.28.36.171	noithat117.vn	Viet Nam	131353	NHANHOA-AS-VNNhanHoaSoftwarecompanyVN	false

Private

IP
192.168.2.1

Contacted Domains

Name	IP	Active
greenflag.esp.br	108.179.192.98	true
playsis.com.br	162.241.2.78	true
noithat117.vn	103.28.36.171	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://playsis.com.br/qJSL1BN5V/tiynh.html	true	Avira URL Cloud: malware	unknown
https://greenflag.esp.br/yuINdRbM/tiynh.html	false	Avira URL Cloud: safe	unknown

AV Detection:

Multi AV Scanner detection for submitted file

Source: counter-1248368226.xls

ReversingLabs: Detection: 40%

Antivirus detection for URL or domain

Source: https://playsis.com.br/qJSL1BN5V/tiynh.html	Avira URL Cloud: Label: malware
Source: https://playsis.com.br/	Avira URL Cloud: Label: malware
Source: https://playsis.com.br/R	Avira URL Cloud: Label: malware
Source: https://playsis.com.br/qJSL1BNs	Avira URL Cloud: Label: malware
Source: https://playsis.com.br/qJSL1BN5V/tiynh.htmlvn/TSh7GBeIR/tiynh.html	Avira URL Cloud: Label: malware

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 108.179.192.98:443 -> 192.168.2.3:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 103.28.36.171:443 -> 192.168.2.3:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.241.2.78:443 -> 192.168.2.3:49745 version: TLS 1.2

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Process created: C:\Windows\SysWOW64\regsvr32.exe

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Section loaded: unknown origin: URLDownloadToFileA

Jump to behavior

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.3:49743 -> 108.179.192.98:443

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: greenflag.esp.br

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.3:49743 -> 108.179.192.98:443

Networking:

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /yuINdRbM/tiynh.html HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: greenflag.esp.brConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /TSh7GBeIR/tiynh.html HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: noithat117.vnConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /qJSL1BN5V/tiynh.html HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: playsis.com.brConnection: Keep-Alive

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 162.241.2.78 162.241.2.78
Source: Joe Sandbox View	IP Address: 108.179.192.98 108.179.192.98
Source: Joe Sandbox View	IP Address: 103.28.36.171 103.28.36.171

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: EXCEL.EXE, 00000001.00000003.476275279.000000000FE23000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.488859590.000000000FE23000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.467843202.000000000FE23000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.462582747.000000000FE23000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.419978341.000000000FE23000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.340031882.000000000FE23000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.610899653.000000000FE23000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides/O
Source: EXCEL.EXE, 00000001.00000002.608087011.000000000E08E000.00000004.00000001.sdmp	String found in binary or memory: http://purl.oclc.org/ooxml/drawingml/diagram
Source: EXCEL.EXE, 00000001.00000002.608049076.000000000E06A000.00000004.00000001.sdmp	String found in binary or memory: http://purl.oclc.org/ooxml/drawingml/tabler
Source: EXCEL.EXE, 00000001.00000003.469607881.0000000016ABE000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.470048142.000000001690E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.455964384.0000000016B06000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.455940301.0000000016AD6000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.open
Source: EXCEL.EXE, 00000001.00000003.469607881.0000000016ABE000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.470048142.000000001690E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.455964384.0000000016B06000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.455940301.0000000016AD6000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.openformatrg/package/2006/r
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: http://weather.service.msn.com/data.aspxNS
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging1
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmp	String found in binary or memory: https://addinsinstallation.store.office.com/app/downloade
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticatedB
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalledMBI_SSL_SHORT
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated6
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://addinslicensing.store.office.com/commerce/queryv
Source: EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://analysis.windows.net/powerbi/apiE
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://api.aadrm.com
Source: EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://api.aadrm.com/
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://api.addins.omex.office.net/appinfo/queryg
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://api.cortana.ai
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://api.diagnostics.office.com?V
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://api.diagnostics.office.comHV
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp	String found in binary or memory: https://api.diagnostics.office.comhuc
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://api.microsoftstream.com/api/nt9H
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://api.office.net
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://api.office.net&s
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://api.office.net/s
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://api.office.net9rh
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://api.office.net=sl
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://api.office.netLr
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://api.office.netls
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://api.office.netyp(
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://api.office.netzs
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://api.onedrive.com
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp	String found in binary or memory: https://api.onedrive.comMBI
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://api.onedrive.comce
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groupsu
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://apis.live.net/v5.0/S
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/S2
Source: EXCEL.EXE	String found in binary or memory: https://augloop.dod.online.office365.us
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://augloop.office.com
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://augloop.office.com%
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://augloop.office.com/v2
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.470099621.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.340254925.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.291670975.000000000FEA2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.488934838.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.461355081.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.467269536.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.493139849.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.490225001.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.475810638.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.491199060.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.610983542.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.419576881.000000000FEA0000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: EXCEL.EXE, 00000001.00000003.488654985.000000000FD75000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.475934601.000000000FD75000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.467719465.000000000FD75000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.461793870.000000000FD75000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.489721327.000000000FD75000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.610610633.000000000FD75000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlW
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://cdn.entity.
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.odc.officeapps.live.c
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.pngOutlookConnectorManifesthttps:
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpselllOh
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsellLiveProfileServicehttps
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://client-office365-tas.msedge.net/abuc
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://clients.config.office.net/
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://clients.config.office.net/4K
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp	String found in binary or memory: https://clients.config.office.net/Bearer
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp	String found in binary or memory: https://clients.config.office.net/https://loguc
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policieshttps://login.windows.net/common/oauth2/
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp	String found in binary or memory: https://clients.config.office.net/user/v1.0/iosBearer
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp	String found in binary or memory: https://clients.config.office.net/user/v1.0/ioshtt
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp	String found in binary or memory: https://clients.config.office.net/user/v1.0/macBearer
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp	String found in binary or memory: https://clients.config.office.net/user/v1.0/machttps://login.windows.net/common/oauth2/authorize
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkeyL
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://config.edge.skype.com
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://config.edge.skype.com/config/v2/Officeb
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://cortana.ai
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://cortana.ai/api
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://cortana.ai/api-Y
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://cortana.aiIY
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://cortana.aietl
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://cr.office.com
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://dataservice.o365filtering.com-L
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmp	String found in binary or memory: https://dataservice.o365filtering.com/4
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://dataservice.o365filtering.com6L
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://dataservice.o365filtering.comLL
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://dataservice.o365filtering.comPI
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://dataservice.o365filtering.comUV
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://dataservice.o365filtering.comxLu
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: EXCEL.EXE, 00000001.00000003.340165432.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.476324827.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.488905407.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.462619600.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.610948124.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.490100931.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.467872426.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.420012413.000000000FE6F000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://dev.cortana.ai
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://dev.cortana.ai2Y
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/H
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://devnull.onenote.com
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://devnull.onenote.comt
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://directory.services.
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://enrichment.osi.office.net/)V
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1G
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json#
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtmlM
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp	String found in binary or memory: https://enrichment.osi.office.net/https://login.windows.net/common/oauth2/authorizeMBI_SSLhttps://os
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://entitlement.diagnosticssdf.office.comq
Source: EXCEL.EXE	String found in binary or memory: https://entity.osi.office.net/
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://entity.osi.office.net/t
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: EXCEL.EXE, 00000001.00000003.470099621.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.340254925.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.291670975.000000000FEA2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.488934838.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.461355081.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.467269536.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.493139849.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.490225001.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.475810638.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.491199060.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.610983542.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.419576881.000000000FEA0000.00000004.00000001.sdmp	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-androidy
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://graph.ppe.windows.net//
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://graph.windows.net
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://graph.windows.net/
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://graph.windows.net/l
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://graph.windows.net/ointZ
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://graph.windows.netse
Source: EXCEL.EXE, 00000001.00000003.526779002.00000000136A7000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611442721.00000000136D7000.00000004.00000001.sdmp	String found in binary or memory: https://greenflag.esp.br/
Source: EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.419668761.00000000167C6000.00000004.00000001.sdmp	String found in binary or memory: https://greenflag.esp.br/yuINdRbM/tiynh.html
Source: EXCEL.EXE, 00000001.00000003.324828323.00000000167C6000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.418599518.00000000167C6000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.419668761.00000000167C6000.00000004.00000001.sdmp	String found in binary or memory: https://greenflag.esp.br/yuINdRbM/tiynh.htmlZd
Source: EXCEL.EXE, 00000001.00000003.526779002.00000000136A7000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611442721.00000000136D7000.00000004.00000001.sdmp	String found in binary or memory: https://greenflag.esp.br/z
Source: EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://hubble.officeapps.live.com
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?B
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: EXCEL.EXE	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: EXCEL.EXE, 00000001.00000003.470099621.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.340254925.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.291670975.000000000FEA2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.488934838.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.461355081.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.467269536.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.493139849.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.490225001.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.475810638.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.491199060.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.610983542.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.419576881.000000000FEA0000.00000004.00000001.sdmp	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1i
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: EXCEL.EXE, 00000001.00000002.611303760.00000000135FB000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://incidents.diagnostics.office.comH
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: EXCEL.EXE	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveApp
Source: EXCEL.EXE, 00000001.00000003.470099621.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.340254925.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.291670975.000000000FEA2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.488934838.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.461355081.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.467269536.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.493139849.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.490225001.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.475810638.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.491199060.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.610983542.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.419576881.000000000FEA0000.00000004.00000001.sdmp	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveAppR
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Binguo
Source: EXCEL.EXE, 00000001.00000003.340165432.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.476324827.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.488905407.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.462619600.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.610948124.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.490100931.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.467872426.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.420012413.000000000FE6F000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: EXCEL.EXE, 00000001.00000003.340165432.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.476324827.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.488905407.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.462619600.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.610948124.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.490100931.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.467872426.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.420012413.000000000FE6F000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrYO
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: EXCEL.EXE, 00000001.00000003.340165432.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.476324827.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.488905407.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.462619600.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.610948124.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.490100931.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.467872426.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.420012413.000000000FE6F000.00000004.00000001.sdmp	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDriveX2i
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmediaq
Source: EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://lifecycle.office.com
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://lifecycle.office.comP
Source: EXCEL.EXE, 00000001.00000003.339645774.0000000013881000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339423306.0000000013879000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.418797301.0000000013879000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.461136291.0000000013879000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.527925109.0000000013879000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611756255.000000001388E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.324103805.0000000013879000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.527045226.0000000013879000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorizeuo
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://login.windows.local
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.localtes
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorizehNd
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize%_3
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize&
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize&Z0
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize-
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize.S8
Source: EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize/
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize7
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize:
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize;
Source: EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize=
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize?S
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeC_
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeD
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeE
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeF
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeG
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeH
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeJ
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeK
Source: EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeM
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeMf
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeOP
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeR
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeS
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeT
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeU
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeW
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeX
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeY
Source: EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeZ
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizea_
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeb
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizec
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizef
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeh
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizei
Source: EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeize
Source: EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizek
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizelQ
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizemP
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizen_
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizep
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizer
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizes
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizesZ
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeteV
Source: EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizex
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizezP
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize~
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmp	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/W
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmp	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1J
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://management.azure.com
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://management.azure.com/
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://management.azure.com/l
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://messaging.office.com/
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log8
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://ncus.contentsync.
Source: EXCEL.EXE, 00000001.00000003.340165432.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.476324827.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.488905407.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.462619600.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.610948124.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.490100931.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.467872426.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.420012413.000000000FE6F000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000002.603652781.0000000002E30000.00000004.00000020.sdmp	String found in binary or memory: https://nexus.officeapps.live.com
Source: EXCEL.EXE, 00000001.00000002.611303760.00000000135FB000.00000004.00000001.sdmp	String found in binary or memory: https://nexus.officeapps.live.com/
Source: EXCEL.EXE	String found in binary or memory: https://nexus.officeapps.live.com/ne
Source: EXCEL.EXE, 00000001.00000003.325048483.0000000016780000.00000004.00000001.sdmp	String found in binary or memory: https://nexus.officeapps.live.com/nete
Source: EXCEL.EXE	String found in binary or memory: https://nexus.officeapps.live.com/nexus/rules
Source: EXCEL.EXE, 00000001.00000002.611407310.00000000136A8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526779002.00000000136A7000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://nexus.officeapps.live.com/nexus/rules?Application=excel.exe&Version=16.0.4954.1000&ClientId=
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://nexus.officeapps.live.com/nexus/rulesn
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://nexus.officeapps.live.comlatesForWord
Source: EXCEL.EXE, 00000001.00000002.612479351.0000000016745000.00000004.00000001.sdmp	String found in binary or memory: https://noithat117.vn/
Source: EXCEL.EXE, 00000001.00000003.324828323.00000000167C6000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526779002.00000000136A7000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.418599518.00000000167C6000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611442721.00000000136D7000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.419668761.00000000167C6000.00000004.00000001.sdmp	String found in binary or memory: https://noithat117.vn/TSh7GBeIR/tiynh.html
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.netW
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://officeapps.live.com
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.com%
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.com)
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.com/
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.com3
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.com5
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.com9
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.com=
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.comC
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.comG
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.comM
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.comQ
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.comS
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.comW
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.comX(
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.coma
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.come
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.comk
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.como
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.comu
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/u
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdatedh
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://onedrive.live.com
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=falseUN
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmp	String found in binary or memory: https://onedrive.live.com/embed?i
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://onedrive.live.comed
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://osi.office.net
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://osi.office.netM&
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://osi.office.netjY
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://osi.office.netst
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://otelrules.azureedge.net
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://otelrules.azureedge.netd
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://outlook.office.com
Source: EXCEL.EXE, 00000001.00000003.488654985.000000000FD75000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.475934601.000000000FD75000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.467719465.000000000FD75000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.461793870.000000000FD75000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.489721327.000000000FD75000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.610610633.000000000FD75000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://outlook.office.com/
Source: EXCEL.EXE, 00000001.00000003.340165432.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.476324827.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.488905407.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.462619600.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.610948124.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.490100931.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.467872426.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.420012413.000000000FE6F000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://outlook.office.comX:
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://outlook.office365.com
Source: EXCEL.EXE, 00000001.00000003.488654985.000000000FD75000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.475934601.000000000FD75000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.467719465.000000000FD75000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.461793870.000000000FD75000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.489721327.000000000FD75000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.610610633.000000000FD75000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://outlook.office365.com/
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json3
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspxI
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.340165432.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.476324827.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.488905407.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.462619600.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.610948124.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.490100931.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.467872426.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.420012413.000000000FE6F000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonMBI_SSLpeople.directory.
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.jsonMBI_SSL_SHORTssl.
Source: EXCEL.EXE, 00000001.00000003.462703099.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.612583630.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.418614920.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.324846454.00000000167D3000.00000004.00000001.sdmp	String found in binary or memory: https://playsis.c
Source: EXCEL.EXE, 00000001.00000003.462703099.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.612583630.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.418614920.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.324846454.00000000167D3000.00000004.00000001.sdmp	String found in binary or memory: https://playsis.com
Source: EXCEL.EXE, 00000001.00000003.462703099.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.612583630.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.418614920.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.324846454.00000000167D3000.00000004.00000001.sdmp	String found in binary or memory: https://playsis.com.b
Source: EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmp	String found in binary or memory: https://playsis.com.br/
Source: EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmp	String found in binary or memory: https://playsis.com.br/R
Source: EXCEL.EXE, 00000001.00000003.462703099.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.612583630.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.418614920.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.324846454.00000000167D3000.00000004.00000001.sdmp	String found in binary or memory: https://playsis.com.br/qJSL1B
Source: EXCEL.EXE, 00000001.00000002.611442721.00000000136D7000.00000004.00000001.sdmp	String found in binary or memory: https://playsis.com.br/qJSL1BN5V/tiynh.html
Source: EXCEL.EXE, 00000001.00000003.462703099.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.612583630.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.418614920.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.324846454.00000000167D3000.00000004.00000001.sdmp	String found in binary or memory: https://playsis.com.br/qJSL1BN5V/tiynh.htmlvn/TSh7GBeIR/tiynh.html
Source: EXCEL.EXE, 00000001.00000003.462703099.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.612583630.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.418614920.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.324846454.00000000167D3000.00000004.00000001.sdmp	String found in binary or memory: https://playsis.com.br/qJSL1BNs
Source: EXCEL.EXE, 00000001.00000003.462703099.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.612583630.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.418614920.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.324846454.00000000167D3000.00000004.00000001.sdmp	String found in binary or memory: https://playsis.com.br/qJSL1n
Source: EXCEL.EXE, 00000001.00000003.462703099.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.612583630.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.418614920.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.324846454.00000000167D3000.00000004.00000001.sdmp	String found in binary or memory: https://playsis.com.br/qJSh
Source: EXCEL.EXE, 00000001.00000003.462703099.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.612583630.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.418614920.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.324846454.00000000167D3000.00000004.00000001.sdmp	String found in binary or memory: https://playsis.com.br/qt
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13db8
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://powerlift.acompli.net
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect)
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://roaming.edog.
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.come
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://settings.outlook.com
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://staging.cortana.ai
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://staging.cortana.airlL?
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://substrate.office.com
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://substrate.office.com/Todo-Internal.ReadWrite
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://substrate.office.com4:
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://substrate.office.com7
Source: EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://substrate.office.comP
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://substrate.office.comR
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://substrate.office.comc:
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://substrate.office.como
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://tasks.office.com
Source: EXCEL.EXE	String found in binary or memory: https://tellmeservice.osi.office.net
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://tellmeservice.osi.office.netst
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmp	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/I
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: EXCEL.EXE, 00000001.00000003.340165432.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.476324827.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.488905407.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.462619600.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.610948124.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.490100931.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.467872426.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.420012413.000000000FE6F000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmp	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devicesV
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://webshell.suite.office.com
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp	String found in binary or memory: https://webshell.suite.office.comOCSettingsCloudPolicyServiceAndroidUrlhttps://clients.config.office
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://webshell.suite.office.comeH
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://wus2.contentsync.
Source: EXCEL.EXE, 00000001.00000003.340165432.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.476324827.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.488905407.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.462619600.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.610948124.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.490100931.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.467872426.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.420012413.000000000FE6F000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.dr	String found in binary or memory: https://www.odwebp.svc.ms
Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp	String found in binary or memory: https://www.odwebp.svc.msomP

Source: unknown

DNS traffic detected: queries for: greenflag.esp.br

Source: global traffic	HTTP traffic detected: GET /yuINdRbM/tiynh.html HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: greenflag.esp.brConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /TSh7GBeIR/tiynh.html HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: noithat117.vnConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /qJSL1BN5V/tiynh.html HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: playsis.com.brConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 108.179.192.98:443 -> 192.168.2.3:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 103.28.36.171:443 -> 192.168.2.3:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.241.2.78:443 -> 192.168.2.3:49745 version: TLS 1.2

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 12	Screenshot OCR: Enable Editing o 18 19 20 ljl PROTECTED VIEW Be careful - files from the Internet can contain vir
Source: Screenshot number: 12	Screenshot OCR: Enable Content 25 26 (D SECURITY WARNING Macros have been disabled. Enable Content 27 28 29 30
Source: Document image extraction number: 0	Screenshot OCR: Enable Editing CD PROTECTED VIEW Be careful - files from the Internet can contain viruses. Unless y
Source: Document image extraction number: 0	Screenshot OCR: Enable Content G) SECURITY WARNING Macros have been disabled. Enable Content If you are using a mo
Source: Document image extraction number: 1	Screenshot OCR: Enable Editing 1 PROTECTED VIEW Be careful - files from the Internet can contain viruses. Unless y
Source: Document image extraction number: 1	Screenshot OCR: Enable Content C9 SECURITY WARNING Macros have been disabled. Enable Content om If you are using a
Source: Screenshot number: 16	Screenshot OCR: Enable Editing o 18 19 20 ljl PROTECTED VIEW Be careful - files from the Internet can contain vir
Source: Screenshot number: 16	Screenshot OCR: Enable Content 25 26 (D SECURITY WARNING Macros have been disabled. Enable Content 27 28 29 30

Yara signature match

Source: counter-1248368226.xls, type: SAMPLE	Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: C:\Users\user\Desktop\counter-1248368226.xls, type: DROPPED	Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f

Found a hidden Excel 4.0 Macro sheet

Source: counter-1248368226.xls	Macro extractor: Sheet name: Bor3
Source: counter-1248368226.xls	Macro extractor: Sheet name: Bor6
Source: counter-1248368226.xls	Macro extractor: Sheet name: Bor2
Source: counter-1248368226.xls	Macro extractor: Sheet name: Bor1
Source: counter-1248368226.xls	Macro extractor: Sheet name: Bor4
Source: counter-1248368226.xls	Macro extractor: Sheet name: Bor5

Tries to load missing DLLs

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior

Detected potential crypto function

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Code function: 1_3_16780CEC		1_3_16780CEC
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Code function: 1_3_0FEA3E79		1_3_0FEA3E79

Document contains embedded VBA macros

Source: counter-1248368226.xls	OLE indicator, VBA macros: true
Source: counter-1248368226.xls.1.dr	OLE indicator, VBA macros: true

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: CC657B23.tmp.1.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: counter-1248368226.xls

ReversingLabs: Detection: 40%

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: counter-1248368226.xls	OLE indicator, Workbook stream: true
Source: counter-1248368226.xls.1.dr	OLE indicator, Workbook stream: true

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\bestb.ocx
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\bestc.ocx
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\bestb.ocx	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\bestc.ocx	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{2D709C6B-06C3-4955-B106-541C202F59AB} - OProcSessId.dat

Jump to behavior

Source: EXCEL.EXE	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: EXCEL.EXE	String found in binary or memory: https://[OMEX.BaseHost]/api/addins/emailtemplate
Source: EXCEL.EXE	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: EXCEL.EXE	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: EXCEL.EXE	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: EXCEL.EXE	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: EXCEL.EXE	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: EXCEL.EXE	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: EXCEL.EXE	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: EXCEL.EXE	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: EXCEL.EXE	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: EXCEL.EXE	String found in binary or memory: https://api.addins.store.office.com/addinstemplate

Source: classification engine

Classification label: mal80.expl.winXLS@7/5@3/4

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Automated click: OK
Source: C:\Windows\SysWOW64\regsvr32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\regsvr32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\regsvr32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source: CC657B23.tmp.1.dr

Initial sample: OLE indicators vbamacros = False

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: EXCEL.EXE, 00000001.00000003.527724456.0000000013706000.00000004.00000001.sdmp	Binary or memory string: Saving imgs.htm. Press ESC to cancel.ESC to cancel.3}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ee,b
Source: EXCEL.EXE, 00000001.00000003.461834280.000000000FD88000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.475951004.000000000FD88000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.489769065.000000000FD88000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.610656942.000000000FD88000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.488673925.000000000FD88000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.467737108.000000000FD88000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.608003887.000000000E024000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW

HIPS / PFW / Operating System Protection Evasion:

Yara detected hidden Macro 4.0 in Excel

Source: Yara match	File source: counter-1248368226.xls, type: SAMPLE
Source: Yara match	File source: C:\Users\user\Desktop\counter-1248368226.xls, type: DROPPED

Source: EXCEL.EXE, 00000001.00000002.605169444.0000000003690000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: EXCEL.EXE, 00000001.00000002.605169444.0000000003690000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: EXCEL.EXE, 00000001.00000002.605169444.0000000003690000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: EXCEL.EXE, 00000001.00000002.605169444.0000000003690000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

ID:	532597
Product:	CloudBasic
Start time:	14:42:56
Start date:	02.12.2021
Sample:	counter-1248368226.xls
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	30a0db47a66a3d3173457755bb166529
SHA1:	c852a219defe8ab726b72f8792386e35428b46dc
SHA256:	bdd97906934a97d1081e68ac8f71c98a169c4af705c17b73b69b3649df216885
Filetype:	Microsoft Excel sheet (30009/1) 78.94%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\3638B7F6-A3D7-43B8-AAEC-D8550EE39223	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators	6C13F0CA1C4C4F96838C348AFAB72B50	96942CCCEDA33AE9DADCC6424DBA0AED72E5F2A1	61DB7F05B1E8F36617B5C01873A86ADB1C439432869C6033891FF6C69226CC67
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\CC657B23.tmp	Composite Document File V2 Document, Cannot read section info	72F5C05B7EA8DD6059BF59F50B22DF33	D5AF52E129E15E3A34772806F6C5FBF132E7408E	1DC0C8D7304C177AD0E74D3D2F1002EB773F4B180685A7DF6BBE75CCC24B0164
C:\Users\user\AppData\Local\Temp\~DF1FFD1382AF47CF05.TMP	data	6235D05472679068C67F48FDCF00B91D	8259DEBBFCAFDA24C2FEF013F0AF4F840B35B847	9E32E87680CDB684D3D2BB47426999E90B6914D554B84ECBEE63A527D778E059
C:\Users\user\AppData\Local\Temp\~DF8DAE98E0C529E805.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\Desktop\counter-1248368226.xls	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:19:34 2015, Last Saved Time/Date: Tue Nov 30 06:43:37 2021, Security: 0	045001B5E9C8CC03D4893E9231D17AA6	61C136453CE43CE2555EA0BC9840E6130AABD1BD	894978747FCC6AEA92D61D3783ECC79AA2E1F02F0E159934AAB2C919BDC99BF6

Windows Analysis Report counter-1248368226.xls

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

HIPS / PFW / Operating System Protection Evasion:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs