Edit tour

Windows Analysis Report
jokLq9gHyc.exe

Overview

General Information

Sample name:	jokLq9gHyc.exe renamed because original name is a hash value
Original sample name:	36e3c83e50a19ad1048dab7814f3922631990578aab0790401bc67dbcc90a72e.exe
Analysis ID:	1559341
MD5:	485573e162551f66f776923126e5b5ff
SHA1:	c1f4507c3f8eb24279e0b47a1523500e62cb0764
SHA256:	36e3c83e50a19ad1048dab7814f3922631990578aab0790401bc67dbcc90a72e
Tags:	exeincblog6--7-onionuser-JAMESWT_MHT
Infos:

Detection

INC Ransomware

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found ransom note / readme

Multi AV Scanner detection for submitted file

Yara detected INC Ransomware

AI detected suspicious sample

Changes the wallpaper picture

Contains functionalty to change the wallpaper

Document exploit detected (process start blacklist hit)

Found Tor onion address

Found potential ransomware demand text

Machine Learning detection for sample

Modifies existing user documents (likely ransomware behavior)

Writes a notice file (html or txt) to demand a ransom

Writes many files with high entropy

AV process strings found (often used to terminate AV products)

Checks for available system drives (often done to infect USB drives)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates files inside the system directory

Detected potential crypto function

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

May use bcdedit to modify the Windows boot settings

Queries the volume information (name, serial number etc) of a device

Sigma detected: Potentially Suspicious Desktop Background Change Via Registry

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

jokLq9gHyc.exe (PID: 7420 cmdline: "C:\Users\user\Desktop\jokLq9gHyc.exe" MD5: 485573E162551F66F776923126E5B5FF)

conhost.exe (PID: 7428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

FXSSVC.exe (PID: 10152 cmdline: C:\Windows\system32\fxssvc.exe MD5: 8C6D3BF6997E02544BE68D43DABE2F39)

ONENOTE.EXE (PID: 7504 cmdline: /insertdoc "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\{A2E7CF79-C90D-485A-A37F-868BC5C92F80}.xps" 133765767541360000 MD5: 0061760D72416BCF5F2D9FA6564F0BEA)

OfficeC2RClient.exe (PID: 10100 cmdline: OfficeC2RClient.exe /error PID=7504 ProcessName="Microsoft OneNote" UIType=3 ErrorSource=0x8b10082a ErrorCode=0x800c0006 ShowUI=1 MD5: 4F025E7F9ADD3623A8B384BC0C7B18CB)

onenoteim.exe (PID: 7652 cmdline: "C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe" -ServerName:microsoft.onenoteim.AppXxqb9ypsz6cs1w07e1pmjy4ww4dy9tpqr.mca MD5: 56AC82018A550CF0C525F0C7891806F1)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.2049780481.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_INCRansomware	Yara detected INC Ransomware	Joe Security
00000000.00000003.2058728567.0000000000AA4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_INCRansomware	Yara detected INC Ransomware	Joe Security
00000000.00000003.2049590953.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_INCRansomware	Yara detected INC Ransomware	Joe Security
00000000.00000003.2055621435.0000000002550000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_INCRansomware	Yara detected INC Ransomware	Joe Security
00000000.00000003.2022940644.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_INCRansomware	Yara detected INC Ransomware	Joe Security
00000000.00000003.2058573420.0000000002550000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_INCRansomware	Yara detected INC Ransomware	Joe Security
00000000.00000002.2062331936.0000000000A0E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_INCRansomware	Yara detected INC Ransomware	Joe Security
00000000.00000003.2057493253.0000000002550000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_INCRansomware	Yara detected INC Ransomware	Joe Security
Process Memory Space: jokLq9gHyc.exe PID: 7420	JoeSecurity_INCRansomware	Yara detected INC Ransomware	Joe Security
Click to see the 4 entries

Sigma Signatures

Sigma detected: Potentially Suspicious Desktop Background Change Via Registry

Source: Registry Key set

Author: Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq (AttackIQ): Data: Details: C:\Users\user\AppData\Local\Temp\\background-image.jpg, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\jokLq9gHyc.exe, ProcessId: 7420, TargetObject: HKEY_CURRENT_USER\Control Panel\Desktop\Wallpaper

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-20T12:46:03.790557+0100	2028371	3	Unknown Traffic	192.168.2.4	49744	52.123.255.71	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: jokLq9gHyc.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: jokLq9gHyc.exe

ReversingLabs: Detection: 78%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.1% probability

Machine Learning detection for sample

Source: jokLq9gHyc.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\jokLq9gHyc.exe	Code function: 0_2_00F590C0 CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,GetCommandLineW,CommandLineToArgvW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,ExitProcess,ExitProcess,SHEmptyRecycleBinA,GetConsoleWindow,ShowWindow,lstrlenW,lstrlenW,lstrlenW,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,	0_2_00F590C0
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	Code function: 0_2_00F55920 GetFileAttributesW,SetFileAttributesW,CreateFileW,GetFileSizeEx,CloseHandle,lstrlenA,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,CryptGenRandom,lstrlenW,lstrlenW,lstrlenW,lstrcpyW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcpyA,lstrlenW,lstrcpyW,CreateIoCompletionPort,ReadFile,InterlockedIncrement,	0_2_00F55920
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	Code function: 0_2_00F56B30 lstrlenA,lstrlenA,CryptStringToBinaryA,CryptStringToBinaryA,lstrlenA,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,	0_2_00F56B30

Source: jokLq9gHyc.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\$WinREAgent\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\$WinREAgent\Scratch\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\PerfLogs\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Adobe\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Adobe\ARM\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5}\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\dbg\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\AppV\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\AppV\Setup\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\MachineData\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\MachineData\Integration\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\MachineData\Integration\ShortcutBackups\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\UserData\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Crypto\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Crypto\DSS\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Crypto\DSS\MachineKeys\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Crypto\Keys\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Crypto\PCPKSP\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Crypto\PCPKSP\WindowsAIK\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Crypto\RSA\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Crypto\SystemKeys\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-GB\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-GB\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\DeviceSync\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\CustomTraceProfiles\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\DownloadedScenarios\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\ETLLogs\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\ETLLogs\Autologger\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\ETLLogs\ScenarioShutdownLogger\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\EventTranscript\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\FeedbackHub\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\LocalTraceStore\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\ScenariosSqlStore\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\Sideload\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\Siufloc\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\SoftLanding\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\SoftLandingStage\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\Temp\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\Temp\DiagTrackTraceSlot_alternativeTrace\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\Temp\DiagTrackTraceSlot_aot\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\Temp\DiagTrackTraceSlot_diag\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\Temp\DiagTrackTraceSlot_miniTrace\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\TenantStorage\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\TenantStorage\P-ARIA\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\TimeTravelDebuggingStorage\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\DiagnosticLogCSP\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\DiagnosticLogCSP\Channels\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\DiagnosticLogCSP\DeviceStateData\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\DRM\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\DRM\Server\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\EdgeUpdate\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\EdgeUpdate\Log\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\IdentityCRL\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\IdentityCRL\INT\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\IdentityCRL\production\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\MapData\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\MF\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\NetFramework\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Network\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Network\Connections\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Network\Downloader\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Office\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Provisioning\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Provisioning\AssetCache\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Provisioning\AssetCache\CellularUx\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Search\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Search\Data\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Search\Data\Applications\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Search\Data\Temp\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Settings\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Settings\Accounts\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\SmsRouter\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Spectrum\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Speech_OneCore\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Storage Health\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\UEV\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\UEV\InboxTemplates\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\UEV\Scripts\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\UEV\Templates\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\User Account Pictures\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Vault\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\WDF\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Clean Store\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\NisBackup\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Updates\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{744D5067-632F-490D-A7F8-522F3DDB7ACB}\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\DLPCache\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\DLPCache\FileEvidence\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\DLPCache\NetworkFilesMappingStubs\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Features\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\LocalCopy\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Network Inspection System\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Network Inspection System\Support\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\af-ZA\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\am-ET\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ar-SA\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\as-IN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\az-Latn-AZ\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\bg-BG\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\bn-IN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\bs-Latn-BA\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ca-ES\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ca-ES-valencia\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\Catalogs\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\cs-CZ\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\cy-GB\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\da-DK\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\de-DE\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\Drivers\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\el-GR\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\en-GB\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\en-US\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\es-ES\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\es-MX\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\et-EE\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\eu-ES\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fa-IR\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fi-FI\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fil-PH\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fr-CA\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fr-FR\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ga-IE\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\gd-GB\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\gl-ES\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\gu-IN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\he-IL\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\hi-IN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\hr-HR\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\hu-HU\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\id-ID\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\is-IS\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\it-IT\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ja-JP\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ka-GE\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\kk-KZ\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\km-KH\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\kn-IN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ko-KR\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\kok-IN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\lb-LU\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\lo-LA\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\lt-LT\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\lv-LV\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mi-NZ\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mk-MK\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ml-IN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mr-IN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ms-MY\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mt-MT\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\nb-NO\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ne-NP\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\nl-NL\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\nn-NO\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\or-IN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\pa-IN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\pl-PL\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\Powershell\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\pt-BR\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\pt-PT\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\quz-PE\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ro-RO\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ru-RU\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sk-SK\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sl-SI\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sq-AL\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sr-Cyrl-BA\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sr-Cyrl-RS\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sr-Latn-RS\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sv-SE\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ta-IN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\te-IN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\th-TH\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\tr-TR\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\tt-RU\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ug-CN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\uk-UA\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ur-PK\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\vi-VN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\en-GB\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\en-US\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\zh-CN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\zh-TW\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Quarantine\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Quarantine\Entries\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Quarantine\ResourceData\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Quarantine\ResourceData\E3\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Quarantine\Resources\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Quarantine\Resources\E3\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\BackupStore\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\ReportLatency\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\ReportLatency\Latency\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\ReportLatency\Latency\19\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\00\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\01\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\03\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\04\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\05\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\06\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\07\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\08\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\15\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\21\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Snapshots\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Support\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Temp\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows NT\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows NT\MSFax\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows NT\MSFax\ActivityLog\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\en-GB\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows NT\MSFax\Inbox\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows NT\MSFax\Queue\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows NT\MSFax\SentItems\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\en-GB\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows NT\MSScan\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Security Health\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Security Health\Logs\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\WinMSIPC\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\WinMSIPC\Server\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\WwanSvc\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft OneDrive\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft OneDrive\setup\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Package Cache\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages\vcRuntimeAdditional_amd64\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Package Cache\{D5D19E2F-7189-42FE-8103-92CD1FA457C2}v14.36.32532\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Package Cache\{D5D19E2F-7189-42FE-8103-92CD1FA457C2}v14.36.32532\packages\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Package Cache\{D5D19E2F-7189-42FE-8103-92CD1FA457C2}v14.36.32532\packages\vcRuntimeMinimum_amd64\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.549981C3F5F10_8wekyb3d8bbwe\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.549981C3F5F10_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1001\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.549981C3F5F10_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.549981C3F5F10_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\SystemAppData\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1001\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\SystemAppData\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.Getstarted_8wekyb3d8bbwe\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.Getstarted_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1001\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.Getstarted_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.Getstarted_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\SystemAppData\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.Microsoft3DViewer_8wekyb3d8bbwe\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.Microsoft3DViewer_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1001\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.Microsoft3DViewer_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.Microsoft3DViewer_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\SystemAppData\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\SystemAppData\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1001\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\SystemAppData\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\SystemAppData\Helium\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\SystemAppData\Helium\Cache\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.MixedReality.Portal_8wekyb3d8bbwe\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.MixedReality.Portal_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1001\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.MixedReality.Portal_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.MixedReality.Portal_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\SystemAppData\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1001\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\SystemAppData\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\S-1-5-21-2246122658-3693405117-2476756634-1001\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\S-1-5-21-2246122658-3693405117-2476756634-1002\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\regid.1991-06.com.microsoft\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\SoftwareDistribution\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\ssh\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\USOShared\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\USOShared\Logs\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\USOShared\Logs\User\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\WindowsHolographicDevices\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\WindowsHolographicDevices\SpatialStore\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Recovery\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\Default\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\Default\Desktop\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\Default\Documents\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\Default\Downloads\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\Default\Favorites\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\Default\Links\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\Default\Music\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\Default\OneDrive\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\Default\Pictures\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\Default\Saved Games\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\Default\Videos\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\.ms-ad\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\3D Objects\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\Contacts\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\Desktop\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\Desktop\CURQNKVOIX\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\Desktop\DVWHKMNFNN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\Desktop\HTAGVDFUIE\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\Desktop\JSDNGYCOWY\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\Desktop\KZWFNRXYKI\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\Desktop\ZTGJILHXQB\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\Documents\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\Documents\CURQNKVOIX\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\Documents\DVWHKMNFNN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\Documents\HTAGVDFUIE\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\Documents\JSDNGYCOWY\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\Documents\KZWFNRXYKI\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\Documents\ZTGJILHXQB\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\Downloads\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\Favorites\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\Favorites\Links\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\Links\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\Music\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\OneDrive\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\Pictures\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\Pictures\Camera Roll\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\Pictures\Saved Pictures\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\Recent\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\Saved Games\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\Searches\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\Videos\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\Public\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\Public\AccountPictures\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\Public\Desktop\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\Public\Documents\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\Public\Downloads\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\Public\Libraries\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\Public\Music\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\Public\Pictures\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\Public\Videos\INC-README.txt	Jump to behavior

Source: unknown

HTTPS traffic detected: 52.123.255.71:443 -> 192.168.2.4:49744 version: TLS 1.2

Source: jokLq9gHyc.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File opened: z:	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File opened: x:	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File opened: v:	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File opened: t:	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File opened: r:	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File opened: p:	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File opened: n:	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File opened: l:	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File opened: j:	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File opened: h:	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File opened: f:	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File opened: b:	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File opened: y:	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File opened: w:	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File opened: u:	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File opened: s:	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File opened: q:	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File opened: o:	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File opened: m:	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File opened: k:	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File opened: i:	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File opened: g:	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File opened: e:	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File opened: c:	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\Desktop\jokLq9gHyc.exe	Code function: 0_2_00F549A0 Sleep,lstrcmpiW,lstrcpyW,lstrcatW,FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcpyW,lstrcatW,lstrcatW,FindNextFileW,FindClose,		0_2_00F549A0
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	Code function: 0_2_00F54AE0 lstrcpyW,lstrcatW,FindFirstFileW,lstrcmpiW,Sleep,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcpyW,lstrcatW,lstrcatW,lstrcmpiW,lstrcmpiW,lstrcpyW,lstrcatW,lstrcatW,lstrlenW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,_wcsstr,lstrcpyW,lstrcatW,Sleep,InterlockedExchangeAdd,CreateThread,FindNextFileW,FindClose,		0_2_00F54AE0

Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File opened: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File opened: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\NisBackup\	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File opened: C:\ProgramData\Microsoft\Windows Defender\	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File opened: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File opened: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File opened: C:\ProgramData\Microsoft\Windows Defender\Clean Store\	Jump to behavior

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE

Process created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Networking

Found Tor onion address

Source: jokLq9gHyc.exe, 00000000.00000003.2049780481.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Source: jokLq9gHyc.exe, 00000000.00000003.2049780481.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/
Source: jokLq9gHyc.exe, 00000000.00000003.2058728567.0000000000AA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Source: jokLq9gHyc.exe, 00000000.00000003.2058728567.0000000000AA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/
Source: jokLq9gHyc.exe, 00000000.00000003.2055621435.0000000002550000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Source: jokLq9gHyc.exe, 00000000.00000003.2055621435.0000000002550000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/
Source: jokLq9gHyc.exe, 00000000.00000003.2022940644.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Source: jokLq9gHyc.exe, 00000000.00000003.2022940644.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/
Source: jokLq9gHyc.exe, 00000000.00000003.2022940644.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: <span style="font-size: 14px; margin-top: 8px; text-decoration: underline;">http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/</span>
Source: jokLq9gHyc.exe, 00000000.00000003.2022940644.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: <span style="font-size: 14px; margin-top: 8px; text-decoration: underline;">http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/</span>
Source: jokLq9gHyc.exe, 00000000.00000002.2062331936.0000000000A0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Source: jokLq9gHyc.exe, 00000000.00000002.2062331936.0000000000A0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/
Source: jokLq9gHyc.exe, 00000000.00000002.2062331936.0000000000A0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: <span style="font-size: 14px; margin-top: 8px; text-decoration: underline;">http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/</span>
Source: jokLq9gHyc.exe, 00000000.00000002.2062331936.0000000000A0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: <span style="font-size: 14px; margin-top: 8px; text-decoration: underline;">http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/</span>
Source: INC-README.txt194.0.dr	String found in binary or memory: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Source: INC-README.txt194.0.dr	String found in binary or memory: http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/
Source: INC-README.txt233.0.dr	String found in binary or memory: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Source: INC-README.txt233.0.dr	String found in binary or memory: http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/
Source: INC-README.txt197.0.dr	String found in binary or memory: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Source: INC-README.txt197.0.dr	String found in binary or memory: http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/
Source: INC-README.txt187.0.dr	String found in binary or memory: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Source: INC-README.txt187.0.dr	String found in binary or memory: http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/
Source: INC-README.txt59.0.dr	String found in binary or memory: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Source: INC-README.txt59.0.dr	String found in binary or memory: http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/
Source: INC-README.txt201.0.dr	String found in binary or memory: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Source: INC-README.txt201.0.dr	String found in binary or memory: http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/
Source: INC-README.txt110.0.dr	String found in binary or memory: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Source: INC-README.txt110.0.dr	String found in binary or memory: http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/
Source: INC-README.txt85.0.dr	String found in binary or memory: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Source: INC-README.txt85.0.dr	String found in binary or memory: http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/
Source: INC-README.txt16.0.dr	String found in binary or memory: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Source: INC-README.txt16.0.dr	String found in binary or memory: http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/
Source: INC-README.txt103.0.dr	String found in binary or memory: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Source: INC-README.txt103.0.dr	String found in binary or memory: http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/
Source: INC-README.txt49.0.dr	String found in binary or memory: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Source: INC-README.txt49.0.dr	String found in binary or memory: http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/
Source: INC-README.txt71.0.dr	String found in binary or memory: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Source: INC-README.txt71.0.dr	String found in binary or memory: http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/
Source: INC-README.txt158.0.dr	String found in binary or memory: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Source: INC-README.txt158.0.dr	String found in binary or memory: http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/
Source: INC-README.txt56.0.dr	String found in binary or memory: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Source: INC-README.txt56.0.dr	String found in binary or memory: http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/
Source: INC-README.txt30.0.dr	String found in binary or memory: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Source: INC-README.txt30.0.dr	String found in binary or memory: http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/
Source: INC-README.txt74.0.dr	String found in binary or memory: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Source: INC-README.txt74.0.dr	String found in binary or memory: http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/
Source: INC-README.txt46.0.dr	String found in binary or memory: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Source: INC-README.txt46.0.dr	String found in binary or memory: http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/
Source: INC-README.txt47.0.dr	String found in binary or memory: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Source: INC-README.txt47.0.dr	String found in binary or memory: http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/
Source: INC-README.txt96.0.dr	String found in binary or memory: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Source: INC-README.txt96.0.dr	String found in binary or memory: http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/
Source: INC-README.txt212.0.dr	String found in binary or memory: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Source: INC-README.txt212.0.dr	String found in binary or memory: http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/
Source: INC-README.txt167.0.dr	String found in binary or memory: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Source: INC-README.txt167.0.dr	String found in binary or memory: http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/
Source: INC-README.txt84.0.dr	String found in binary or memory: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Source: INC-README.txt84.0.dr	String found in binary or memory: http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/
Source: INC-README.txt123.0.dr	String found in binary or memory: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Source: INC-README.txt123.0.dr	String found in binary or memory: http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/
Source: INC-README.txt244.0.dr	String found in binary or memory: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Source: INC-README.txt244.0.dr	String found in binary or memory: http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/
Source: INC-README.txt53.0.dr	String found in binary or memory: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Source: INC-README.txt53.0.dr	String found in binary or memory: http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/
Source: INC-README.txt111.0.dr	String found in binary or memory: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Source: INC-README.txt111.0.dr	String found in binary or memory: http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/
Source: INC-README.txt234.0.dr	String found in binary or memory: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Source: INC-README.txt234.0.dr	String found in binary or memory: http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/
Source: INC-README.txt127.0.dr	String found in binary or memory: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Source: INC-README.txt127.0.dr	String found in binary or memory: http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic

Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49744 -> 52.123.255.71:443

Source: global traffic

HTTP traffic detected: GET /config/v2/Office/officeclicktorun/16.0.16827.20130/Production/CC?&EcsCanary=1&Clientid=%7b7423E565-A626-48D4-A186-93E31FBB3F25%7d&Application=officeclicktorun&Platform=win32&Version=16.0.16827.20130&MsoVersion=16.0.16827.20130&ProcessName=officec2rclient.exe&Audience=Production&Build=ship&Architecture=x64&PerpetualLicense=2019&LicenseCategory=3&LicenseSKU=ProPlusRetail&OsVersion=10.0&OsBuild=19045&Channel=CC&InstallType=C2R&SessionId=%7b100658EF-A533-49E4-A927-AF364CADE8B9%7d&LabMachine=false HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipIf-None-Match: "sSWlHUzHyGOmlDUj/sBFzQkl+48fO8GHL0RWhOFrydE="User-Agent: Microsoft Office 2014DisableExperiments: falseX-ECS-Client-Last-Telemetry-Events: ecs_client_library_name=MSO,ecs_client_app_name=Office,ecs_client_version=16.0.16827.20130Host: ecs.office.com

Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681230210.000001ED2813C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681230210.000001ED2813C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://b.c2r.ts.cdn.office.net/prcom/Z
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681230210.000001ED2813C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2682600256.000001ED2813F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2700388303.000001ED28147000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681230210.000001ED2813C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2682600256.000001ED2813F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2700388303.000001ED28147000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/prw
Source: jokLq9gHyc.exe, 00000000.00000002.2062331936.0000000000A0E000.00000004.00000020.00020000.00000000.sdmp, INC-README.txt194.0.dr, INC-README.html22.0.dr, INC-README.html151.0.dr, INC-README.html182.0.dr, INC-README.txt233.0.dr, INC-README.txt197.0.dr, INC-README.txt187.0.dr, INC-README.txt59.0.dr, INC-README.txt201.0.dr, INC-README.txt110.0.dr, INC-README.txt85.0.dr, INC-README.txt16.0.dr, INC-README.html147.0.dr, INC-README.html89.0.dr, INC-README.html161.0.dr, INC-README.html2.0.dr, INC-README.txt103.0.dr, INC-README.html232.0.dr, INC-README.txt49.0.dr, INC-README.txt71.0.dr	String found in binary or memory: http://incapt.su/
Source: jokLq9gHyc.exe, 00000000.00000002.2062331936.0000000000A0E000.00000004.00000020.00020000.00000000.sdmp, INC-README.txt194.0.dr, INC-README.html22.0.dr, INC-README.html151.0.dr, INC-README.html182.0.dr, INC-README.txt233.0.dr, INC-README.txt197.0.dr, INC-README.txt187.0.dr, INC-README.txt59.0.dr, INC-README.txt201.0.dr, INC-README.txt110.0.dr, INC-README.txt85.0.dr, INC-README.txt16.0.dr, INC-README.html147.0.dr, INC-README.html89.0.dr, INC-README.html161.0.dr, INC-README.html2.0.dr, INC-README.txt103.0.dr, INC-README.html232.0.dr, INC-README.txt49.0.dr, INC-README.txt71.0.dr	String found in binary or memory: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Source: jokLq9gHyc.exe, 00000000.00000002.2062331936.0000000000A0E000.00000004.00000020.00020000.00000000.sdmp, INC-README.txt194.0.dr, INC-README.html22.0.dr, INC-README.html151.0.dr, INC-README.html182.0.dr, INC-README.txt233.0.dr, INC-README.txt197.0.dr, INC-README.txt187.0.dr, INC-README.txt59.0.dr, INC-README.txt201.0.dr, INC-README.txt110.0.dr, INC-README.txt85.0.dr, INC-README.txt16.0.dr, INC-README.html147.0.dr, INC-README.html89.0.dr, INC-README.html161.0.dr, INC-README.html2.0.dr, INC-README.txt103.0.dr, INC-README.html232.0.dr, INC-README.txt49.0.dr, INC-README.txt71.0.dr	String found in binary or memory: http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2698430105.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679935669.000001ED280AA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2128199523.00000229D77D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2698430105.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679935669.000001ED280AA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides$
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680069455.000001ED280D1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684413304.000001ED280D2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2128199523.00000229D77D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680069455.000001ED280D1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684413304.000001ED280D2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://weather.service.msn.com/data.aspxDd
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging0
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging3
Source: OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2700388303.000001ED28147000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2114954008.00000229D6635000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2114954008.00000229D6635000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680923985.000001ED280C4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2114954008.00000229D6635000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2698430105.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679935669.000001ED280AA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986328426.00000229D761B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2114954008.00000229D6635000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2698430105.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679935669.000001ED280AA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticatedG
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2700700475.000001ED28152000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683508627.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684340898.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2114954008.00000229D6635000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2700700475.000001ED28152000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683508627.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684340898.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addinslicensing.store.office.com/apps/removev
Source: OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683508627.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684340898.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2114954008.00000229D6635000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681230210.000001ED2813C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2682600256.000001ED2813F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2700388303.000001ED28147000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2114954008.00000229D6635000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681230210.000001ED2813C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2682600256.000001ED2813F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2700388303.000001ED28147000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addinslicensing.store.office.com/entitlement/queryz
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681230210.000001ED2813C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680923985.000001ED280C4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2682600256.000001ED2813F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2700388303.000001ED28147000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680923985.000001ED280C4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/removePq#/
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681230210.000001ED2813C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2682600256.000001ED2813F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2700388303.000001ED28147000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/removes
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684908476.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2701085811.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683965745.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677443931.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162638622.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153597937.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2114954008.00000229D6635000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2682600256.000001ED28114000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query6
Source: OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684413304.000001ED280D2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986328426.00000229D761B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115201795.00000229D663D000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115157094.00000229D6639000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2128978316.00000229D775A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986783874.00000229D775C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2114954008.00000229D6635000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680069455.000001ED280D1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684413304.000001ED280D2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analysis.windows.net/powerbi/apiMd
Source: OfficeC2RClient.exe, 0000000C.00000003.2679481825.000001ED27BDD000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27BD2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2688092260.000001ED27C37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677781677.000001ED27BDB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2685643443.000001ED27BE0000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696689683.000001ED27C39000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680240954.000001ED27BDF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2685828215.000001ED27C1C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analysis.windows.net/powerbi/apillook
Source: OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2698430105.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679935669.000001ED280AA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2698430105.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679935669.000001ED280AA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech1
Source: OfficeC2RClient.exe, 0000000C.00000003.2677847056.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2686029977.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696851520.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2689872711.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2128199523.00000229D77D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.aadrm.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2677847056.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2686029977.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696851520.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2689872711.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986328426.00000229D761B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.aadrm.com/
Source: OfficeC2RClient.exe, 0000000C.00000003.2677847056.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2686029977.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696851520.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2689872711.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.aadrm.comt
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D6633000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.addins.omex.office.net/api/addins/search
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2700700475.000001ED28152000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683508627.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684340898.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2114954008.00000229D6635000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2700700475.000001ED28152000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683508627.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684340898.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2114954008.00000229D6635000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2700700475.000001ED28152000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683508627.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684340898.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2114954008.00000229D6635000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: OfficeC2RClient.exe, 0000000C.00000002.2701085811.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683965745.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677443931.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162638622.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153597937.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2114954008.00000229D6635000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2700700475.000001ED28152000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683508627.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684340898.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2114954008.00000229D6635000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679419055.000001ED280EB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679323499.000001ED280DF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680609584.000001ED280EE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2699528931.000001ED280EE000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986328426.00000229D761B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.cortana.ai
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679419055.000001ED280EB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679323499.000001ED280DF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680609584.000001ED280EE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2699528931.000001ED280EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.cortana.aiWN
Source: OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679323499.000001ED280DF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680609584.000001ED280E2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.diagnostics.office.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679323499.000001ED280DF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680609584.000001ED280E2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.diagnostics.office.com?SK
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679323499.000001ED280DF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680609584.000001ED280E2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.diagnostics.office.comAT
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679323499.000001ED280DF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680609584.000001ED280E2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.diagnostics.office.comwUs
Source: OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679323499.000001ED280DF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680609584.000001ED280E2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback(
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback0
Source: OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684413304.000001ED280D2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679323499.000001ED280DF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680609584.000001ED280E2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.diagnosticssdf.office.comIU
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679323499.000001ED280DF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680609584.000001ED280E2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.diagnosticssdf.office.com_T
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679323499.000001ED280DF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680609584.000001ED280E2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.diagnosticssdf.office.comcU
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D6633000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.microsoftstream.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2677048163.000001ED27D94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155520866.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155200588.000001ED27D8D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679609032.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681338159.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154063932.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2695499627.000001ED2758C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2687154061.000001ED27D94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2697850827.000001ED27DA8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153395018.000001ED27D95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2692240102.000001ED2758B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152737705.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677601900.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156635399.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2687510101.000001ED27DA1000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.microsoftstream.com/api/
Source: OfficeC2RClient.exe, 0000000C.00000003.2677048163.000001ED27D94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155520866.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155200588.000001ED27D8D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2697788167.000001ED27D9C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154063932.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2687154061.000001ED27D94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153395018.000001ED27D95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152737705.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156635399.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.microsoftstream.comservicStreamMobileAppEcsAPIhttps://ecs.office.comyapi.
Source: OfficeC2RClient.exe, 0000000C.00000003.2677847056.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED2818C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162638622.000001ED2818C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678979662.000001ED2818C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2818C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2818C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2701245529.000001ED2818C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2818C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153597937.000001ED2818C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2686029977.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696851520.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2695251478.000001ED27555000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2689399960.000001ED2818C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2818C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2818C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2689872711.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.office.net
Source: OfficeC2RClient.exe, 0000000C.00000003.2677847056.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2686029977.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696851520.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2689872711.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.office.net#
Source: OfficeC2RClient.exe, 0000000C.00000003.2677847056.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2686029977.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696851520.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2689872711.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.office.net7
Source: OfficeC2RClient.exe, 0000000C.00000003.2677847056.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2686029977.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696851520.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2689872711.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.office.netC
Source: OfficeC2RClient.exe, 0000000C.00000003.2677847056.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2686029977.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696851520.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2689872711.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.office.netK
Source: OfficeC2RClient.exe, 0000000C.00000003.2677847056.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2686029977.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696851520.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2689872711.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.office.netc
Source: OfficeC2RClient.exe, 0000000C.00000003.2677847056.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2686029977.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696851520.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2689872711.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.office.neto
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280A1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2987265350.00000229D7A00000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.onedrive.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280A1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.onedrive.comM
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680069455.000001ED280D1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679609032.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681338159.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2695499627.000001ED2758C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684413304.000001ED280D2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2692240102.000001ED2758B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677601900.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680069455.000001ED280D1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684413304.000001ED280D2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasetsab
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680069455.000001ED280D1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679609032.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681338159.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2695499627.000001ED2758C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684413304.000001ED280D2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2692240102.000001ED2758B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677601900.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679609032.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681338159.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2695499627.000001ED2758C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684413304.000001ED280D2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2692240102.000001ED2758B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677601900.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680923985.000001ED280C4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.scheduler.
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280A1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2977883275.00000221CE82C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.live.net/v5.0/
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680069455.000001ED280D1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684413304.000001ED280D2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2128978316.00000229D775A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2114954008.00000229D6635000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.mobile.m365.svc.cloud.microsoft
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280A1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986328426.00000229D761B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2128978316.00000229D775A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986783874.00000229D775C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://app.powerbi.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: OfficeC2RClient.exe, 0000000C.00000003.2685783833.000001ED2763A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680139261.000001ED27628000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679609032.000001ED275A3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137453782.000001ED27627000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677601900.000001ED275A3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696097363.000001ED27642000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2689278270.000001ED2763E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2685257528.000001ED2762E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com/v4/api/selection%
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684908476.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2701085811.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683965745.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679609032.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681338159.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677443931.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2695499627.000001ED2758C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162638622.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2692240102.000001ED2758B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153597937.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677601900.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://augloop.office.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2689872711.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696851520.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2674621626.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2686029977.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://augloop.office.com/v2
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://augloop.office.com3
Source: OfficeC2RClient.exe, 0000000C.00000002.2694721402.000001ED25C96000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2686813635.000001ED25C89000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162126571.000001ED25C5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2692440783.000001ED25C95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676960700.000001ED25C6A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2685882700.000001ED25C7C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115201795.00000229D663D000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115157094.00000229D6639000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985183144.00000229D53CD000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2114954008.00000229D6635000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://augloop.office.comr
Source: OfficeC2RClient.exe, 0000000C.00000003.2686029977.000001ED27C95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677847056.000001ED27C94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27C8E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2674621626.000001ED27C8E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2689872711.000001ED27C95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696851520.000001ED27C95000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2987265350.00000229D7A00000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2128978316.00000229D775A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7750000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986783874.00000229D775C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680923985.000001ED280C4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://canary.designerapp.
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2699636936.000001ED2813B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2682600256.000001ED28133000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.designerapp.osi.office.net
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680923985.000001ED280C4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/fonts
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2128978316.00000229D775A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986783874.00000229D775C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-assets
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2698430105.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679935669.000001ED280AA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2128978316.00000229D775A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986783874.00000229D775C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-dynamic-strings
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2698430105.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679935669.000001ED280AA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-dynamic-stringss
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2128978316.00000229D775A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986783874.00000229D775C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-home-screen
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2128978316.00000229D775A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986783874.00000229D775C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-toolbar
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2682600256.000001ED28133000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.designerapp.osi.office.neth
Source: OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679419055.000001ED280EB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679323499.000001ED280DF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2698430105.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679935669.000001ED280AA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680609584.000001ED280EE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2699528931.000001ED280EE000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986328426.00000229D761B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2987265350.00000229D7A00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.entity.
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680069455.000001ED280D1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684413304.000001ED280D2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680069455.000001ED280D1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684413304.000001ED280D2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.hubblecontent.osi.office.net/Yb
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts(
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.int.designerapp.osi.office.net/fontsp
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680069455.000001ED280D1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684413304.000001ED280D2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D6633000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients.config.office.net
Source: OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155200588.000001ED27D8D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154063932.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2687154061.000001ED27D94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153395018.000001ED27D95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152737705.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156635399.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2687510101.000001ED27DA1000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients.config.office.net/
Source: OfficeC2RClient.exe, 0000000C.00000003.2677048163.000001ED27D94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155520866.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155200588.000001ED27D8D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154063932.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2687154061.000001ED27D94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153395018.000001ED27D95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152737705.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156635399.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2687510101.000001ED27DA1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients.config.office.net/P
Source: OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisory
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680923985.000001ED280C4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policiesM~
Source: OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2688355857.000001ED25BDA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2688999885.000001ED25C32000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: OfficeC2RClient.exe, 0000000C.00000003.2692142468.000001ED25C46000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2691985683.000001ED25C32000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2688355857.000001ED25BDA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2688999885.000001ED25C32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients.config.office.net/user/v1.0/iosfhp
Source: OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2688355857.000001ED25BDA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676960700.000001ED25C6A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2688999885.000001ED25C32000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2694541003.000001ED25C6A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2128199523.00000229D77D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: OfficeC2RClient.exe, 0000000C.00000003.2692142468.000001ED25C46000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2691985683.000001ED25C32000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2688355857.000001ED25BDA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2688999885.000001ED25C32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients.config.office.net/user/v1.0/macssVV
Source: OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680923985.000001ED280C4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkeygs
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680923985.000001ED280C4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkeyms
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680923985.000001ED280C4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkeyys
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684908476.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2701085811.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683965745.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677443931.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162638622.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153597937.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D6633000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684908476.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2701085811.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683965745.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677443931.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162638622.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153597937.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspxx
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680069455.000001ED280D1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684413304.000001ED280D2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680069455.000001ED280D1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684413304.000001ED280D2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://config.edge.skype.com/config/v1/Office;b
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680069455.000001ED280D1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684413304.000001ED280D2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986328426.00000229D761B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2983530723.00000229D14B8000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2984894761.00000229D5323000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680069455.000001ED280D1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684413304.000001ED280D2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://config.edge.skype.com/config/v2/Office2b
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680923985.000001ED280C4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D6633000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681230210.000001ED2813C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2682600256.000001ED2813F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2700388303.000001ED28147000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D6633000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: OfficeC2RClient.exe, 0000000C.00000003.2677048163.000001ED27D94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155520866.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155200588.000001ED27D8D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2697788167.000001ED27D9C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154063932.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2687154061.000001ED27D94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153395018.000001ED27D95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152737705.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156635399.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consentson=
Source: OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cortana.ai
Source: OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696851520.000001ED27CC6000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2689872711.000001ED27CC6000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677847056.000001ED27CC6000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27CC6000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2686029977.000001ED27CC6000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cortana.ai/api
Source: OfficeC2RClient.exe, 0000000C.00000003.2677847056.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2686029977.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696851520.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2689872711.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2128199523.00000229D77D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cr.office.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2677847056.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2686029977.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696851520.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2689872711.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.docs.live.net
Source: OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679609032.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679323499.000001ED280DF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681338159.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2695499627.000001ED2758C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2682600256.000001ED28133000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680609584.000001ED280E2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2692240102.000001ED2758B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677601900.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dataservice.o365filtering.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681230210.000001ED2813C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115950966.00000229D7781000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dataservice.o365filtering.com/
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2698430105.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679935669.000001ED280AA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2698430105.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679935669.000001ED280AA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile.
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679323499.000001ED280DF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680609584.000001ED280E2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dataservice.o365filtering.com/uQq
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679609032.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681338159.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2695499627.000001ED2758C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2698430105.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2692240102.000001ED2758B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677601900.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679935669.000001ED280AA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679419055.000001ED280EB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679323499.000001ED280DF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680609584.000001ED280EE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2699528931.000001ED280EE000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2987416583.00000229D7A5E000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://designerapp.azurewebsites.net
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://designerapp.azurewebsites.netp
Source: OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986328426.00000229D761B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2128978316.00000229D775A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7750000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986783874.00000229D775C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://designerappservice.officeapps.live.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27CB8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2689872711.000001ED27CB8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679419055.000001ED280EB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679323499.000001ED280DF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2686029977.000001ED27CB8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696851520.000001ED27CC6000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2689872711.000001ED27CC6000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677847056.000001ED27CC6000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27CC6000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680609584.000001ED280EE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2699528931.000001ED280EE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2686029977.000001ED27CC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.cortana.ai
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680923985.000001ED280C4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679609032.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681338159.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2695499627.000001ED2758C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2692240102.000001ED2758B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677601900.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680923985.000001ED280C4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/_
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679323499.000001ED280DF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680609584.000001ED280E2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684541770.000001ED28177000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2701199456.000001ED28178000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678979662.000001ED28174000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677443931.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162638622.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153597937.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2987265350.00000229D7A00000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2114954008.00000229D6635000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://devnull.onenote.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://devnull.onenote.com/
Source: OfficeC2RClient.exe, 0000000C.00000003.2155520866.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155200588.000001ED27D8D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154063932.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153395018.000001ED27D95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152737705.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156635399.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115950966.00000229D7781000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2116042295.00000229D7798000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://devnull.onenote.comBearer
Source: OfficeC2RClient.exe, 0000000C.00000003.2155520866.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155200588.000001ED27D8D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154063932.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153395018.000001ED27D95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152737705.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156635399.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115950966.00000229D7781000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2116042295.00000229D7798000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://devnull.onenote.comMBI_SSL_SHORT
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681230210.000001ED2813C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2682600256.000001ED2813F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2700388303.000001ED28147000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://devnull.onenote.comed
Source: OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://directory.services.
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2818C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162638622.000001ED2818C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2818C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2818C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153597937.000001ED2818C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2818C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecs.office.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27BD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecs.office.com/
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680069455.000001ED280D1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684413304.000001ED280D2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecs.office.com/config/v1/Designernc
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680069455.000001ED280D1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684413304.000001ED280D2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecs.office.com/config/v1/Designerwc
Source: OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679323499.000001ED280DF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680609584.000001ED280E2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2685643443.000001ED27BE0000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678979662.000001ED2818C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2818C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696644875.000001ED27C1F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680240954.000001ED27BDF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2701245529.000001ED2818C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2818C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153597937.000001ED2818C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2685828215.000001ED27C1C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153597937.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2695251478.000001ED27555000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2689399960.000001ED2818C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2818C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2818C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecs.office.com/config/v2/Office/officeclicktorun/16.0.16827.20130/Production/CC?&EcsCanary=1
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677048163.000001ED27D94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155520866.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155200588.000001ED27D8D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2697788167.000001ED27D9C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683508627.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154063932.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2687154061.000001ED27D94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153395018.000001ED27D95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684340898.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://edge.skype.com/registrar/prod
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683508627.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684340898.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://edge.skype.com/registrar/prod2
Source: OfficeC2RClient.exe, 0000000C.00000003.2677048163.000001ED27D94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155520866.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155200588.000001ED27D8D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2697788167.000001ED27D9C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154063932.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2687154061.000001ED27D94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153395018.000001ED27D95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152737705.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156635399.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://edge.skype.com/rpsMBI_SSLskype.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://edge.skype.com/rpsUrl
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://edge.skype.com/rpseAPI
Source: OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679323499.000001ED280DF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680609584.000001ED280E2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986976863.00000229D77D9000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2128199523.00000229D77D7000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2128978316.00000229D775A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986783874.00000229D775C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://enrichment.osi.office.net/
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679323499.000001ED280DF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680609584.000001ED280E2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://enrichment.osi.office.net/%P
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679323499.000001ED280DF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680609584.000001ED280E2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://enrichment.osi.office.net/)P5
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680923985.000001ED280C4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2128978316.00000229D775A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986783874.00000229D775C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680923985.000001ED280C4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1A
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680923985.000001ED280C4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986976863.00000229D77D9000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2128199523.00000229D77D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680923985.000001ED280C4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1F~
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680923985.000001ED280C4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2128978316.00000229D775A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986783874.00000229D775C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680923985.000001ED280C4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1$
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680923985.000001ED280C4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2128978316.00000229D775A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986783874.00000229D775C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680923985.000001ED280C4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1#s
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680923985.000001ED280C4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680923985.000001ED280C4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v12
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680923985.000001ED280C4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680923985.000001ED280C4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986976863.00000229D77D9000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2128199523.00000229D77D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2698430105.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679935669.000001ED280AA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2698430105.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679935669.000001ED280AA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986976863.00000229D77D9000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2128199523.00000229D77D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2698430105.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679935669.000001ED280AA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtmlK
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2698430105.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679935669.000001ED280AA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679323499.000001ED280DF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680609584.000001ED280E2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://enrichment.osi.office.net/mPy
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680069455.000001ED280D1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684413304.000001ED280D2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680069455.000001ED280D1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684413304.000001ED280D2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679323499.000001ED280DF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680609584.000001ED280E2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://entity.osi.office.net/t
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2698430105.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679935669.000001ED280AA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: OfficeC2RClient.exe, 0000000C.00000002.2698343378.000001ED2807C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2690951433.000001ED2807C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://events.data.mic
Source: OfficeC2RClient.exe, 0000000C.00000003.2677847056.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2686029977.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696851520.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2689872711.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: OfficeC2RClient.exe, 0000000C.00000003.2677847056.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2686029977.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696851520.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2689872711.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-androidD
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684908476.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2701085811.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683965745.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677443931.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162638622.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153597937.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fpastorage.cdn.office.net/%s
Source: OfficeC2RClient.exe, 0000000C.00000003.2155520866.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155200588.000001ED27D8D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154063932.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153395018.000001ED27D95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152737705.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156635399.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fpastorage.cdn.office.net/%sFirstPartyAppQueryhttps://fpastorage.cdn.office.net/firstpartyap
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681230210.000001ED2813C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2682600256.000001ED2813F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2700388303.000001ED28147000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681230210.000001ED2813C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2682600256.000001ED2813F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2700388303.000001ED28147000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xmlL
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679323499.000001ED280DF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680609584.000001ED280E2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986976863.00000229D77D9000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2128199523.00000229D77D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://graph.ppe.windows.net
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280A1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986976863.00000229D77D9000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2987265350.00000229D7A00000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2128199523.00000229D77D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://graph.ppe.windows.net/
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280A1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://graph.ppe.windows.netK
Source: OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://graph.windows.net
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280A1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679609032.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681338159.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2695499627.000001ED2758C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2692240102.000001ED2758B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677601900.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986976863.00000229D77D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://graph.windows.net/
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://graph.windows.net/SK
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280A1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://graph.windows.net/e
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280A1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://graph.windows.netsez
Source: OfficeC2RClient.exe, 0000000C.00000003.2162126571.000001ED25C5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676960700.000001ED25C6A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2694541003.000001ED25C6A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986328426.00000229D761B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hubble.officeapps.live.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2162126571.000001ED25C5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676960700.000001ED25C6A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2694541003.000001ED25C6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hubble.officeapps.live.comWritescel
Source: OfficeC2RClient.exe, 0000000C.00000003.2679481825.000001ED27BDD000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27BD2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2688092260.000001ED27C37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677781677.000001ED27BDB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2685643443.000001ED27BE0000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696689683.000001ED27C39000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680240954.000001ED27BDF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2685828215.000001ED27C1C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hubble.officeapps.live.coma-7368302a1ad4
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680923985.000001ED280C4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: OfficeC2RClient.exe, 0000000C.00000003.2677781677.000001ED27BDB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2685643443.000001ED27BE0000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696426290.000001ED27BE3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680240954.000001ED27BDF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985285505.00000229D660E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: OfficeC2RClient.exe, 0000000C.00000003.2686029977.000001ED27C95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677847056.000001ED27C94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27C8E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2674621626.000001ED27C8E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2689872711.000001ED27C95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696851520.000001ED27C95000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986739032.00000229D774E000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986608181.00000229D7727000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: OfficeC2RClient.exe, 0000000C.00000003.2686029977.000001ED27C95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677847056.000001ED27C94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27C8E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2674621626.000001ED27C8E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2689872711.000001ED27C95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696851520.000001ED27C95000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3dO
Source: OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986608181.00000229D7727000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: OfficeC2RClient.exe, 0000000C.00000003.2686029977.000001ED27C95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677847056.000001ED27C94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27C8E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2674621626.000001ED27C8E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2689872711.000001ED27C95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696851520.000001ED27C95000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1F
Source: OfficeC2RClient.exe, 0000000C.00000003.2686029977.000001ED27C95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677847056.000001ED27C94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27C8E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2674621626.000001ED27C8E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2689872711.000001ED27C95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696851520.000001ED27C95000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1I
Source: OfficeC2RClient.exe, 0000000C.00000003.2679481825.000001ED27BDD000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27BD2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2686557647.000001ED27C06000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696605314.000001ED27C0F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677781677.000001ED27BDB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2685643443.000001ED27BE0000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2687849535.000001ED27C07000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2692734382.000001ED27C0E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680240954.000001ED27BDF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons
Source: OfficeC2RClient.exe, 0000000C.00000003.2679481825.000001ED27BDD000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27BD2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2686557647.000001ED27C06000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696605314.000001ED27C0F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677781677.000001ED27BDB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2685643443.000001ED27BE0000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2687849535.000001ED27C07000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2692734382.000001ED27C0E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680240954.000001ED27BDF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=iconscrev=3
Source: OfficeC2RClient.exe, 0000000C.00000003.2677781677.000001ED27BDB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2685643443.000001ED27BE0000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2687849535.000001ED27C07000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2692734382.000001ED27C0E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680240954.000001ED27BDF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos
Source: OfficeC2RClient.exe, 0000000C.00000003.2679481825.000001ED27BDD000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27BD2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2686557647.000001ED27C06000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696605314.000001ED27C0F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677781677.000001ED27BDB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2685643443.000001ED27BE0000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2687849535.000001ED27C07000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2692734382.000001ED27C0E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680240954.000001ED27BDF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos4
Source: OfficeC2RClient.exe, 0000000C.00000003.2679481825.000001ED27BDD000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27BD2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2686557647.000001ED27C06000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696605314.000001ED27C0F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677781677.000001ED27BDB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2685643443.000001ED27BE0000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2687849535.000001ED27C07000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2692734382.000001ED27C0E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680240954.000001ED27BDF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideost
Source: OfficeC2RClient.exe, 0000000C.00000003.2679481825.000001ED27BDD000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27BD2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2688092260.000001ED27C37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677781677.000001ED27BDB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2685643443.000001ED27BE0000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680240954.000001ED27BDF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2685828215.000001ED27C1C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985285505.00000229D660E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: OfficeC2RClient.exe, 0000000C.00000003.2679481825.000001ED27BDD000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27BD2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2688092260.000001ED27C37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677781677.000001ED27BDB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2685643443.000001ED27BE0000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680240954.000001ED27BDF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2685828215.000001ED27C1C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?-X-1F
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2128978316.00000229D775A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2114954008.00000229D6635000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ic3.teams.office.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684413304.000001ED280D2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://incidents.diagnostics.office.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680069455.000001ED280D1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684413304.000001ED280D2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://incidents.diagnostics.office.comNb
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680069455.000001ED280D1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684413304.000001ED280D2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680069455.000001ED280D1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684413304.000001ED280D2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://incidents.diagnosticssdf.office.com8c
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684908476.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2701085811.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683965745.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677443931.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162638622.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153597937.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2114954008.00000229D6635000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684908476.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2701085811.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683965745.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677443931.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162638622.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153597937.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://inclient.store.office.com/gyro/client#
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2700700475.000001ED28152000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683508627.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684340898.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2114954008.00000229D6635000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2700700475.000001ED28152000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683508627.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684340898.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://inclient.store.office.com/gyro/clientstore.
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2700700475.000001ED28152000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683508627.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684340898.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://inclient.store.office.com/gyro/clientstoreV
Source: OfficeC2RClient.exe, 0000000C.00000003.2677847056.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2686029977.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696851520.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2689872711.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveApp
Source: OfficeC2RClient.exe, 0000000C.00000003.2677847056.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2686029977.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696851520.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2689872711.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveAppn
Source: OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986739032.00000229D774E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2698430105.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679935669.000001ED280AA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986328426.00000229D761B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985285505.00000229D660E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing;)
Source: OfficeC2RClient.exe, 0000000C.00000003.2679481825.000001ED27BDD000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27BD2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2686557647.000001ED27C06000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696605314.000001ED27C0F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677781677.000001ED27BDB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2685643443.000001ED27BE0000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2687849535.000001ED27C07000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2692734382.000001ED27C0E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680240954.000001ED27BDF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986328426.00000229D761B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985285505.00000229D660E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: OfficeC2RClient.exe, 0000000C.00000003.2679481825.000001ED27BDD000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27BD2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2686557647.000001ED27C06000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696605314.000001ED27C0F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677781677.000001ED27BDB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2685643443.000001ED27BE0000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2687849535.000001ED27C07000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2692734382.000001ED27C0E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680240954.000001ED27BDF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt8
Source: OfficeC2RClient.exe, 0000000C.00000003.2679481825.000001ED27BDD000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27BD2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2686557647.000001ED27C06000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696605314.000001ED27C0F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677781677.000001ED27BDB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2685643443.000001ED27BE0000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2687849535.000001ED27C07000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2692734382.000001ED27C0E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680240954.000001ED27BDF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985285505.00000229D660E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2698430105.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679935669.000001ED280AA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985285505.00000229D660E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: OfficeC2RClient.exe, 0000000C.00000003.2679481825.000001ED27BDD000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27BD2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2686557647.000001ED27C06000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696605314.000001ED27C0F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677781677.000001ED27BDB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2685643443.000001ED27BE0000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2687849535.000001ED27C07000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2692734382.000001ED27C0E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680240954.000001ED27BDF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986328426.00000229D761B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: OfficeC2RClient.exe, 0000000C.00000003.2679481825.000001ED27BDD000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27BD2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2686557647.000001ED27C06000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696605314.000001ED27C0F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677781677.000001ED27BDB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2685643443.000001ED27BE0000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2687849535.000001ED27C07000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2692734382.000001ED27C0E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680240954.000001ED27BDF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDriverev=3
Source: OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2689872711.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696851520.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2674621626.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2686029977.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985285505.00000229D660E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681052484.000001ED28101000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2699583700.000001ED28102000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://invites.office.com/
Source: OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2698430105.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679935669.000001ED280AA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986328426.00000229D761B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetvoicesV
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2987265350.00000229D7A00000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lifecycle.office.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D6633000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679323499.000001ED280DF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680609584.000001ED280E2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680069455.000001ED280D1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684413304.000001ED280D2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2128978316.00000229D775A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2114954008.00000229D6635000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/organizations
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155520866.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2689872711.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696851520.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2674621626.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155200588.000001ED27D8D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154063932.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153395018.000001ED27D95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152737705.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2686029977.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2700700475.000001ED28152000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683508627.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684340898.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize~
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.localB$
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2698430105.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679935669.000001ED280AA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2698430105.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679935669.000001ED280AA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize;
Source: OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2689872711.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696851520.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2674621626.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155200588.000001ED27D8D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679609032.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2697788167.000001ED27D9C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681338159.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683508627.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154063932.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2695499627.000001ED2758C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2687154061.000001ED27D94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153395018.000001ED27D95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684340898.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize%
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2700700475.000001ED28152000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683508627.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684340898.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize&
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize(
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize-
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2700700475.000001ED28152000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2689872711.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696851520.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2674621626.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683508627.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684340898.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2686029977.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize.
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize0
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize5
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2700700475.000001ED28152000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683508627.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684340898.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize6
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize8
Source: OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeE
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2700700475.000001ED28152000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683508627.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684340898.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeF
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2700700475.000001ED28152000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2689872711.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696851520.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2674621626.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683508627.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684340898.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2686029977.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeN
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeP
Source: OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeU
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2700700475.000001ED28152000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2689872711.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696851520.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2674621626.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683508627.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684340898.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2686029977.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeV
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeX
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizecom
Source: OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizee
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeh
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeize
Source: OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizem
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2700700475.000001ED28152000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2689872711.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696851520.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2674621626.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683508627.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684340898.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2686029977.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizen
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizep
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeteP
Source: OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeu
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2700700475.000001ED28152000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2689872711.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696851520.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2674621626.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683508627.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684340898.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2686029977.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizev
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizex
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2700700475.000001ED28152000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683508627.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684340898.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize~
Source: OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2700700475.000001ED28152000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679609032.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681338159.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683508627.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2695499627.000001ED2758C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684340898.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2692240102.000001ED2758B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2700700475.000001ED28152000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683508627.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684340898.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v16
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://make.powerautomate.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://management.azure.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280A1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679609032.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681338159.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2695499627.000001ED2758C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2692240102.000001ED2758B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677601900.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2987265350.00000229D7A00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://management.azure.com/
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280A1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://management.azure.com/i
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://management.azure.comz
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2128978316.00000229D775A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2114954008.00000229D6635000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://messagebroker.mobile.m365.svc.cloud.microsoft
Source: OfficeC2RClient.exe, 0000000C.00000002.2701085811.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155200588.000001ED27D8D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683965745.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677443931.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154063932.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153395018.000001ED27D95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162638622.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152737705.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153597937.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156635399.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D6633000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115950966.00000229D7781000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://messaging.action.office.com/
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2700700475.000001ED28152000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683508627.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684340898.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://messaging.action.office.com/setcampaignaction6
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2700700475.000001ED28152000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683508627.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684340898.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://messaging.action.office.com/setcampaignactionF
Source: OfficeC2RClient.exe, 0000000C.00000003.2155520866.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155200588.000001ED27D8D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154063932.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153395018.000001ED27D95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152737705.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156635399.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://messaging.action.office.com/setcampaignactionMBI_SSL_SHORTmessaging.action.office.comBearer
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2700700475.000001ED28152000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683508627.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684340898.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D6633000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: OfficeC2RClient.exe, 0000000C.00000003.2155520866.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155200588.000001ED27D8D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154063932.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153395018.000001ED27D95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152737705.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156635399.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://messaging.action.office.com/setuseraction16MBI_SSL_SHORTmessaging.action.office.comBearer
Source: OfficeC2RClient.exe, 0000000C.00000003.2155520866.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155200588.000001ED27D8D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154063932.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153395018.000001ED27D95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152737705.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156635399.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://messaging.action.office.com/setuseraction16SendAutoRenewActionhttps://
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2700700475.000001ED28152000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683508627.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684340898.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://messaging.action.office.com/setuseraction16V
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684908476.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155520866.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2701085811.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155200588.000001ED27D8D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683965745.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677443931.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154063932.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153395018.000001ED27D95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162638622.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152737705.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153597937.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156635399.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://messaging.engagement.office.com/
Source: OfficeC2RClient.exe, 0000000C.00000003.2155520866.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155200588.000001ED27D8D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154063932.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153395018.000001ED27D95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152737705.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156635399.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115950966.00000229D7781000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregatorMBI_SSL_SHORTmessaging.engagement.
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684908476.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2701085811.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683965745.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677443931.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162638622.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153597937.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregatorZ
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684908476.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2701085811.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683965745.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677443931.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162638622.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153597937.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregatorl
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684908476.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155520866.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2701085811.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155200588.000001ED27D8D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683965745.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677443931.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154063932.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153395018.000001ED27D95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162638622.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152737705.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153597937.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156635399.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://messaging.lifecycle.office.com/
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681230210.000001ED2813C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2682600256.000001ED2813F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2700388303.000001ED28147000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D6633000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2987265350.00000229D7A00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681230210.000001ED2813C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2682600256.000001ED2813F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2700388303.000001ED28147000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16A
Source: OfficeC2RClient.exe, 0000000C.00000003.2155520866.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155200588.000001ED27D8D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154063932.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153395018.000001ED27D95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152737705.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156635399.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115950966.00000229D7781000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2116042295.00000229D7798000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16MBI_SSL_SHORTmessaging.lifecycle.office.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681230210.000001ED2813C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2682600256.000001ED2813F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2700388303.000001ED28147000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16e
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681230210.000001ED2813C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2682600256.000001ED2813F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2700388303.000001ED28147000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2987265350.00000229D7A00000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115950966.00000229D7781000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://messaging.office.com/
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2700700475.000001ED28152000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683508627.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684340898.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2114954008.00000229D6635000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683508627.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684340898.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2128978316.00000229D775A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986783874.00000229D775C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mss.office.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681230210.000001ED2813C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2682600256.000001ED2813F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2700388303.000001ED28147000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://my.microsoftpersonalcontent.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2155520866.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155200588.000001ED27D8D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154063932.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153395018.000001ED27D95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152737705.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156635399.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115950966.00000229D7781000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://my.microsoftpersonalcontent.comMBI
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2698430105.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679935669.000001ED280AA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986328426.00000229D761B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2698430105.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679935669.000001ED280AA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechj
Source: OfficeC2RClient.exe, 0000000C.00000003.2677048163.000001ED27D94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2687154061.000001ED27D94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2697850827.000001ED27DA8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2687510101.000001ED27DA1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ncus.cntentsync.
Source: OfficeC2RClient.exe, 0000000C.00000002.2701085811.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155200588.000001ED27D8D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683965745.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677443931.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154063932.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153395018.000001ED27D95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162638622.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152737705.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153597937.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156635399.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115950966.00000229D7781000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115157094.00000229D6639000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2116042295.00000229D7798000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ncus.contentsync.
Source: OfficeC2RClient.exe, 0000000C.00000003.2677048163.000001ED27D94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2687154061.000001ED27D94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2697850827.000001ED27DA8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2687510101.000001ED27DA1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ncus.paecopL;
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155520866.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155200588.000001ED27D8D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679419055.000001ED280EB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679323499.000001ED280DF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154063932.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153395018.000001ED27D95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152737705.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156635399.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ncus.pagecontentsync.
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680069455.000001ED280D1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684413304.000001ED280D2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115950966.00000229D7781000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2128978316.00000229D775A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986783874.00000229D775C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2114954008.00000229D6635000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://notification.m365.svc.cloud.microsoft/
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2128978316.00000229D775A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7750000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985568812.00000229D6644000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986783874.00000229D775C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://notification.m365.svc.cloud.microsoft/PushNotifications.Register
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2698430105.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679935669.000001ED280AA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2698430105.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679935669.000001ED280AA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecordD
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680069455.000001ED280D1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684413304.000001ED280D2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680069455.000001ED280D1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684413304.000001ED280D2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocos-office365-s2s.msedge.net/abEb
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680923985.000001ED280C4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2685112691.000001ED280C1000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680923985.000001ED280C4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2698430105.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679935669.000001ED280AA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680069455.000001ED280D1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684413304.000001ED280D2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680069455.000001ED280D1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684413304.000001ED280D2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.netWb
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680069455.000001ED280D1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684413304.000001ED280D2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680069455.000001ED280D1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684413304.000001ED280D2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/6c
Source: OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27D55000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678763662.000001ED27D57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677443931.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2700388303.000001ED28147000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677847056.000001ED27D55000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162638622.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153597937.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officeapps.live.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684541770.000001ED28177000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2701199456.000001ED28178000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678979662.000001ED28174000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677443931.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162638622.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153597937.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officeapps.live.com#
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681230210.000001ED2813C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officeapps.live.com%
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684541770.000001ED28177000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2701199456.000001ED28178000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678979662.000001ED28174000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677443931.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162638622.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153597937.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officeapps.live.com9
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684541770.000001ED28177000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2701199456.000001ED28178000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678979662.000001ED28174000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677443931.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162638622.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153597937.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officeapps.live.com:
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280A1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officeapps.live.com=
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280A1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officeapps.live.comE
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681230210.000001ED2813C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officeapps.live.comEurV
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684541770.000001ED28177000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2701199456.000001ED28178000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678979662.000001ED28174000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677443931.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162638622.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153597937.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officeapps.live.comH
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684541770.000001ED28177000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2701199456.000001ED28178000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678979662.000001ED28174000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677443931.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162638622.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153597937.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officeapps.live.comN
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681230210.000001ED2813C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officeapps.live.comNamz
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officeapps.live.comS
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684541770.000001ED28177000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2701199456.000001ED28178000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678979662.000001ED28174000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677443931.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162638622.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153597937.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officeapps.live.comY
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684541770.000001ED28177000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2701199456.000001ED28178000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678979662.000001ED28174000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677443931.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162638622.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153597937.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officeapps.live.coma
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681230210.000001ED2813C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officeapps.live.comc
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684541770.000001ED28177000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2701199456.000001ED28178000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678979662.000001ED28174000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677443931.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162638622.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153597937.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officeapps.live.comg
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681230210.000001ED2813C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280A1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officeapps.live.comi
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681230210.000001ED2813C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officeapps.live.comiceR
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684541770.000001ED28177000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2701199456.000001ED28178000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678979662.000001ED28174000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677443931.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162638622.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153597937.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officeapps.live.comr
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681230210.000001ED2813C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2682600256.000001ED2813F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2700388303.000001ED28147000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officeapps.live.comt
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684541770.000001ED28177000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2701199456.000001ED28178000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678979662.000001ED28174000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677443931.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162638622.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153597937.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officeapps.live.comux
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684541770.000001ED28177000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2701199456.000001ED28178000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678979662.000001ED28174000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677443931.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162638622.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153597937.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officeapps.live.comx
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677048163.000001ED27D94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155520866.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155200588.000001ED27D8D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679323499.000001ED280DF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154063932.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2687154061.000001ED27D94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2697850827.000001ED27DA8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153395018.000001ED27D95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680609584.000001ED280E2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2698430105.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679935669.000001ED280AA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: OfficeC2RClient.exe, 0000000C.00000003.2677048163.000001ED27D94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155520866.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155200588.000001ED27D8D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154063932.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2687154061.000001ED27D94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153395018.000001ED27D95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152737705.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156635399.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2687510101.000001ED27DA1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officepyservice.office.net/2
Source: OfficeC2RClient.exe, 0000000C.00000003.2679481825.000001ED27BDD000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27BD2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677781677.000001ED27BDB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2685643443.000001ED27BE0000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696426290.000001ED27BE3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680240954.000001ED27BDF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2987265350.00000229D7A00000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2128978316.00000229D775A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986783874.00000229D775C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officepyservice.office.net/service.functionality
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679323499.000001ED280DF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680609584.000001ED280E2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679323499.000001ED280DF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680609584.000001ED280E2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officesetup.getmicrosoftkey.com#
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: OfficeC2RClient.exe, 0000000C.00000003.2691985683.000001ED25C32000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2688355857.000001ED25BDA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2688999885.000001ED25C32000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2692186858.000001ED25C34000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: OfficeC2RClient.exe, 0000000C.00000003.2686029977.000001ED27C95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677847056.000001ED27C94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27C8E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2674621626.000001ED27C8E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2689872711.000001ED27C95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696851520.000001ED27C95000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: OfficeC2RClient.exe, 0000000C.00000003.2686029977.000001ED27C95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677847056.000001ED27C94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27C8E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2674621626.000001ED27C8E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2689872711.000001ED27C95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696851520.000001ED27C95000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2695251478.000001ED27555000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: OfficeC2RClient.exe, 0000000C.00000003.2686029977.000001ED27C95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677847056.000001ED27C94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27C8E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2674621626.000001ED27C8E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2689872711.000001ED27C95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696851520.000001ED27C95000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdatedPdG4PpHr.
Source: OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2987265350.00000229D7A00000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986739032.00000229D774E000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985285505.00000229D660E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280A1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2698430105.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679935669.000001ED280AA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2698430105.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679935669.000001ED280AA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=falseX
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684908476.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2701085811.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683965745.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677443931.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162638622.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153597937.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/embed?J
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684908476.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2701085811.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683965745.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677443931.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162638622.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153597937.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/embed?iF
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280A1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com5
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679419055.000001ED280EB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679323499.000001ED280DF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680609584.000001ED280EE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2699528931.000001ED280EE000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2987265350.00000229D7A00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://osi.office.netst
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2987265350.00000229D7A00000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://otelrules.azureedge.net
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679323499.000001ED280DF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680609584.000001ED280E2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://otelrules.svc.static.microsoft
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679323499.000001ED280DF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680609584.000001ED280E2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://otelrules.svc.static.microsoftq_
Source: OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2685643443.000001ED27BE0000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696426290.000001ED27BE3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680240954.000001ED27BDF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D6633000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115201795.00000229D663D000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115157094.00000229D6639000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986926288.00000229D77C1000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2128978316.00000229D775A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://outlook.office.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2686029977.000001ED27C95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677847056.000001ED27C94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27C8E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2674621626.000001ED27C8E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2689872711.000001ED27C95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696851520.000001ED27C95000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2987265350.00000229D7A00000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2128978316.00000229D775A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7750000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986783874.00000229D775C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://outlook.office.com/
Source: OfficeC2RClient.exe, 0000000C.00000003.2679481825.000001ED27BDD000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27BD2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2686557647.000001ED27C06000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696605314.000001ED27C0F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677781677.000001ED27BDB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2685643443.000001ED27BE0000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2687849535.000001ED27C07000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2692734382.000001ED27C0E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680240954.000001ED27BDF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986328426.00000229D761B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115201795.00000229D663D000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115157094.00000229D6639000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2128978316.00000229D775A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986783874.00000229D775C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2114954008.00000229D6635000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2685643443.000001ED27BE0000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696426290.000001ED27BE3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680240954.000001ED27BDF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137453782.000001ED275C3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D6633000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115201795.00000229D663D000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://outlook.office365.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2686029977.000001ED27C95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677847056.000001ED27C94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27C8E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2674621626.000001ED27C8E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2689872711.000001ED27C95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696851520.000001ED27C95000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://outlook.office365.com/
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://outlook.office365.com/-
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679609032.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681338159.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2695499627.000001ED2758C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2692240102.000001ED2758B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677601900.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/ActivitiesH
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680923985.000001ED280C4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679609032.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681338159.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2695499627.000001ED2758C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2692240102.000001ED2758B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677601900.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680923985.000001ED280C4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json:q
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680923985.000001ED280C4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.jsonfq
Source: OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://outlook.office365.com/connectors
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680069455.000001ED280D1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684413304.000001ED280D2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://outlook.office365.com/connectorsPb
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680069455.000001ED280D1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684413304.000001ED280D2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://outlook.office365.com/connectorse
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://outlook.office365.comI
Source: OfficeC2RClient.exe, 0000000C.00000003.2677048163.000001ED27D94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155520866.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155200588.000001ED27D8D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2697788167.000001ED27D9C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154063932.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2687154061.000001ED27D94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153395018.000001ED27D95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152737705.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156635399.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://outlook.office365.comOneCameraCDNUrlhttps://res.cdn.office.netrcClpRevokeCompliancePortalUrl
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/P
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684908476.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2701085811.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683965745.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677443931.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162638622.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153597937.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2114954008.00000229D6635000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684908476.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2701085811.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683965745.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677443931.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162638622.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153597937.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook(
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684908476.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2701085811.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683965745.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677443931.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162638622.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153597937.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2114954008.00000229D6635000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pages.store.office.com/review/query
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2700700475.000001ED28152000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683508627.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684340898.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2114954008.00000229D6635000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: OfficeC2RClient.exe, 0000000C.00000003.2679481825.000001ED27BDD000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27BD2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2686557647.000001ED27C06000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696605314.000001ED27C0F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677781677.000001ED27BDB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2685643443.000001ED27BE0000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2687849535.000001ED27C07000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2692734382.000001ED27C0E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680240954.000001ED27BDF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2987265350.00000229D7A00000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: OfficeC2RClient.exe, 0000000C.00000003.2679481825.000001ED27BDD000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27BD2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2686557647.000001ED27C06000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696605314.000001ED27C0F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677781677.000001ED27BDB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2685643443.000001ED27BE0000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2687849535.000001ED27C07000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2692734382.000001ED27C0E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680240954.000001ED27BDF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptionsd
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2698430105.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679935669.000001ED280AA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2698430105.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679935669.000001ED280AA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonq
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680923985.000001ED280C4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680923985.000001ED280C4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.jsonl
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2685112691.000001ED280C1000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680923985.000001ED280C4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13db8Os
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679609032.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679323499.000001ED280DF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681338159.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2695499627.000001ED2758C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680609584.000001ED280E2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2692240102.000001ED2758B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677601900.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679323499.000001ED280DF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680609584.000001ED280E2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://powerlift-frontdesk.acompli.net_
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679609032.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681338159.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2695499627.000001ED2758C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2692240102.000001ED2758B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677601900.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://powerlift.acompli.net
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2698430105.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679935669.000001ED280AA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2698430105.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679935669.000001ED280AA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ioss
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2128978316.00000229D775A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986783874.00000229D775C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684541770.000001ED28177000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2701199456.000001ED28178000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678979662.000001ED28174000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677443931.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162638622.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153597937.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115201795.00000229D663D000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2987265350.00000229D7A00000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115157094.00000229D6639000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2128978316.00000229D775A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pushchannel.1drv.ms
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684541770.000001ED28177000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2701199456.000001ED28178000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678979662.000001ED28174000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677443931.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162638622.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153597937.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pushchannel.1drv.msP
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.jsonD
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D6633000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://res.cdn.office.net
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680923985.000001ED280C4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.40
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680923985.000001ED280C4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.40H
Source: OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2128978316.00000229D775A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986783874.00000229D775C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://res.cdn.office.net/polymer/models
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680069455.000001ED280D1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684413304.000001ED280D2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://res.cdn.office.net/polymer/modelsAe
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680069455.000001ED280D1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684413304.000001ED280D2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://res.cdn.office.net/polymer/modelsve
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://res.cdn.office.netPI
Source: OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicy
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicy-
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicyM
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2700700475.000001ED28152000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683508627.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684340898.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2128978316.00000229D775A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://service.officepy.microsoftusercontent.com/
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2700700475.000001ED28152000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683508627.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684340898.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://service.officepy.microsoftusercontent.com/6
Source: OfficeC2RClient.exe, 0000000C.00000003.2677048163.000001ED27D94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2697788167.000001ED27D9C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2687154061.000001ED27D94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://service.officepy.microsoftusercontent.com/ovid8(.D
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2128978316.00000229D775A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986783874.00000229D775C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2114954008.00000229D6635000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://service.powerapps.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://service.powerapps.com9
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://settings.outlook.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://settings.outlook.comv
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679323499.000001ED280DF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680609584.000001ED280E2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shell.suite.office.com:1443
Source: OfficeC2RClient.exe, 0000000C.00000003.2155520866.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155200588.000001ED27D8D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154063932.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2687154061.000001ED27D94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153395018.000001ED27D95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152737705.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156635399.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2687510101.000001ED27DA1000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986608181.00000229D7727000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://skyapi.live.net/Activity/
Source: OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679609032.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681338159.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2695499627.000001ED2758C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2692240102.000001ED2758B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677601900.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2689872711.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696851520.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2674621626.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2686029977.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://staging.cortana.ai
Source: OfficeC2RClient.exe, 0000000C.00000003.2162126571.000001ED25C5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676960700.000001ED25C6A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137453782.000001ED275C3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2685882700.000001ED25C7C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2694673846.000001ED25C8A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986328426.00000229D761B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2128978316.00000229D775A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7750000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985568812.00000229D6644000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986783874.00000229D775C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-dark-1
Source: OfficeC2RClient.exe, 0000000C.00000003.2686813635.000001ED25C89000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162126571.000001ED25C5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676960700.000001ED25C6A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137453782.000001ED275C3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2685882700.000001ED25C7C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2694673846.000001ED25C8A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986328426.00000229D761B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2128978316.00000229D775A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7750000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985568812.00000229D6644000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986783874.00000229D775C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-dark-2
Source: OfficeC2RClient.exe, 0000000C.00000003.2686813635.000001ED25C89000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162126571.000001ED25C5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676960700.000001ED25C6A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137453782.000001ED275C3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2685882700.000001ED25C7C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2694673846.000001ED25C8A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986328426.00000229D761B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2128978316.00000229D775A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7750000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985568812.00000229D6644000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986783874.00000229D775C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-hc-100
Source: OfficeC2RClient.exe, 0000000C.00000003.2686813635.000001ED25C89000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162126571.000001ED25C5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676960700.000001ED25C6A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137453782.000001ED275C3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2685882700.000001ED25C7C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2694673846.000001ED25C8A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986328426.00000229D761B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2128978316.00000229D775A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7750000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985568812.00000229D6644000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986783874.00000229D775C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-hc-150
Source: OfficeC2RClient.exe, 0000000C.00000003.2686813635.000001ED25C89000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162126571.000001ED25C5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676960700.000001ED25C6A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137453782.000001ED275C3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2685882700.000001ED25C7C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2694673846.000001ED25C8A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986328426.00000229D761B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2128978316.00000229D775A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7750000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985568812.00000229D6644000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986783874.00000229D775C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-hc-200
Source: OfficeC2RClient.exe, 0000000C.00000003.2162126571.000001ED25C5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676960700.000001ED25C6A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2685882700.000001ED25C7C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2694673846.000001ED25C8A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986328426.00000229D761B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2128978316.00000229D775A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7750000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985568812.00000229D6644000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986783874.00000229D775C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-light-
Source: OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2689872711.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696851520.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2674621626.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2686029977.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986739032.00000229D774E000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985285505.00000229D660E000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986168017.00000229D6785000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684908476.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2701085811.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683965745.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677443931.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162638622.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153597937.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2114954008.00000229D6635000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.office.cn/addinstemplate
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684908476.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2701085811.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683965745.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677443931.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162638622.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153597937.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.office.cn/addinstemplateP
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684908476.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2701085811.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683965745.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677443931.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162638622.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153597937.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2114954008.00000229D6635000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.office.de/addinstemplate
Source: OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681052484.000001ED28101000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2699583700.000001ED28102000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D6633000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2987265350.00000229D7A00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://substrate.office.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680069455.000001ED280D1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684413304.000001ED280D2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://substrate.office.com/M365.Accessss
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://substrate.office.com/Todo-Internal.ReadWrite
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680923985.000001ED280C4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680069455.000001ED280D1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684413304.000001ED280D2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://substrate.office.com1
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681230210.000001ED2813C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://substrate.office.com7
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://substrate.office.comF
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2987265350.00000229D7A00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://substrate.office.comP
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://substrate.office.comQ
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681230210.000001ED2813C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://substrate.office.comd
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://substrate.office.comt
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://substrate.office.comu
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://substrate.office.comv
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2698430105.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679935669.000001ED280AA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2987265350.00000229D7A00000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tasks.office.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tasks.office.comst
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680069455.000001ED280D1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684413304.000001ED280D2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tellmeservice.osi.office.netst
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://templatesmetadata.office.net/$
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683508627.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684340898.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://templatesmetadata.office.net/N
Source: OfficeC2RClient.exe, 0000000C.00000003.2155520866.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155200588.000001ED27D8D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154063932.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153395018.000001ED27D95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152737705.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156635399.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://templatesmetadata.office.net/es/notOfficePythonServiceEndpointUrlhttps://service.officepy.mi
Source: jokLq9gHyc.exe, 00000000.00000002.2062331936.0000000000A0E000.00000004.00000020.00020000.00000000.sdmp, INC-README.txt194.0.dr, INC-README.html22.0.dr, INC-README.html151.0.dr, INC-README.html182.0.dr, INC-README.txt233.0.dr, INC-README.txt197.0.dr, INC-README.txt187.0.dr, INC-README.txt59.0.dr, INC-README.txt201.0.dr, INC-README.txt110.0.dr, INC-README.txt85.0.dr, INC-README.txt16.0.dr, INC-README.html147.0.dr, INC-README.html89.0.dr, INC-README.html161.0.dr, INC-README.html2.0.dr, INC-README.txt103.0.dr, INC-README.html232.0.dr, INC-README.txt49.0.dr, INC-README.txt71.0.dr	String found in binary or memory: https://twitter.com/hashtag/incransom?f=live
Source: OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2698430105.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679935669.000001ED280AA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679481825.000001ED27BDD000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27BD2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2686557647.000001ED27C06000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696605314.000001ED27C0F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677781677.000001ED27BDB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2685643443.000001ED27BE0000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2687849535.000001ED27C07000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679419055.000001ED280EB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679323499.000001ED280DF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2692734382.000001ED27C0E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680240954.000001ED27BDF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680923985.000001ED280C4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680923985.000001ED280C4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com%q
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680923985.000001ED280C4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com7~
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680923985.000001ED280C4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: OfficeC2RClient.exe, 0000000C.00000003.2677048163.000001ED27D94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155520866.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155200588.000001ED27D8D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679609032.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681338159.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154063932.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2695499627.000001ED2758C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2687154061.000001ED27D94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2697850827.000001ED27DA8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153395018.000001ED27D95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2692240102.000001ED2758B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152737705.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677601900.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156635399.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2687510101.000001ED27DA1000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.microsoftstream.com/video/
Source: OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2698430105.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679935669.000001ED280AA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/N
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2698430105.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679935669.000001ED280AA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/y
Source: OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155200588.000001ED27D8D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154063932.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2700388303.000001ED28147000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2687154061.000001ED27D94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153395018.000001ED27D95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152737705.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156635399.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2687510101.000001ED27DA1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D6633000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://webshell.suite.office.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2155520866.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155200588.000001ED27D8D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154063932.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153395018.000001ED27D95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152737705.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156635399.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://webshell.suite.office.comOnStreamMobileAppClientConfigOfficeAPIhttps://clients.config.office
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681230210.000001ED2813C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2682600256.000001ED2813F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2700388303.000001ED28147000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://webshell.suite.office.comPI
Source: OfficeC2RClient.exe, 0000000C.00000003.2679481825.000001ED27BDD000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27BD2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677781677.000001ED27BDB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2685643443.000001ED27BE0000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696426290.000001ED27BE3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680240954.000001ED27BDF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2987265350.00000229D7A00000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986739032.00000229D774E000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986926288.00000229D77C1000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985285505.00000229D660E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashx
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-iosJ
Source: OfficeC2RClient.exe, 0000000C.00000002.2701085811.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155200588.000001ED27D8D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683965745.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677443931.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154063932.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2687154061.000001ED27D94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2697850827.000001ED27DA8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153395018.000001ED27D95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162638622.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152737705.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153597937.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156635399.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2687510101.000001ED27DA1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wus2.contentsync.
Source: OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155200588.000001ED27D8D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679419055.000001ED280EB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679323499.000001ED280DF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154063932.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153395018.000001ED27D95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152737705.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156635399.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680609584.000001ED280EE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2699528931.000001ED280EE000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2987416583.00000229D7A5E000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wus2.pagecontentsync.
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2987265350.00000229D7A00000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.odwebp.svc.ms
Source: jokLq9gHyc.exe, 00000000.00000002.2062331936.0000000000A0E000.00000004.00000020.00020000.00000000.sdmp, INC-README.txt194.0.dr, INC-README.html22.0.dr, INC-README.html151.0.dr, INC-README.html182.0.dr, INC-README.txt233.0.dr, INC-README.txt197.0.dr, INC-README.txt187.0.dr, INC-README.txt59.0.dr, INC-README.txt201.0.dr, INC-README.txt110.0.dr, INC-README.txt85.0.dr, INC-README.txt16.0.dr, INC-README.html147.0.dr, INC-README.html89.0.dr, INC-README.html161.0.dr, INC-README.html2.0.dr, INC-README.txt103.0.dr, INC-README.html232.0.dr, INC-README.txt49.0.dr, INC-README.txt71.0.dr	String found in binary or memory: https://www.torproject.org/
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D6633000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.yammer.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2682600256.000001ED28133000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.yammer.com?
Source: OfficeC2RClient.exe, 0000000C.00000003.2677048163.000001ED27D94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155520866.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155200588.000001ED27D8D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2697788167.000001ED27D9C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154063932.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2687154061.000001ED27D94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153395018.000001ED27D95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152737705.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156635399.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.yammer.comT

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443

Source: unknown

HTTPS traffic detected: 52.123.255.71:443 -> 192.168.2.4:49744 version: TLS 1.2

Source: C:\Users\user\Desktop\jokLq9gHyc.exe

Code function: 0_2_00F56790 GetTempPathW,lstrcatW,lstrlenA,lstrlenA,lstrcpyA,CreateFontW,GetDC,CreateCompatibleDC,SelectObject,lstrlenA,GetTextExtentPoint32A,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CreateCompatibleBitmap,SelectObject,SetTextColor,SetBkMode,SetBkColor,lstrlenA,DrawTextA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CreateCompatibleDC,CreateDIBSection,SelectObject,BitBlt,ReleaseDC,CreateFileW,WriteFile,WriteFile,WriteFile,WriteFile,CloseHandle,DeleteObject,DeleteObject,DeleteDC,DeleteObject,RegOpenKeyW,lstrlenW,RegSetValueExW,RegCloseKey,SystemParametersInfoW,

0_2_00F56790

Spam, unwanted Advertisements and Ransom Demands

Found ransom note / readme

Source: C:\INC-README.html

Dropped file: <html><head><title>INC Ransom</title></head><body style="width: 100%; height: 100%; display: flex; flex-direction: column; justify-content: center; align-items: center; overflow: hidden;"><div style="display: flex; justify-content: space-between; max-width: 80%; overflow-y: auto;"><div style="width: 80%;"> <div style="display: flex; flex-direction: column;"> <span style="font-size: 20px; font-weight: 600;">Your data is stolen and encrypted.</span> <span style="font-size: 14px; margin-top: 8px;">If you don't pay the ransom, the data will be published on our TOR darknet sites.</span> <span style="font-size: 14px;">The sooner you pay the ransom, the sooner your company will be safe.</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">Blog Tor Browser Link:</span> <span style="font-size: 14px; margin-top: 8px; text-decoration: underline;">http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">Blog Link for normal browser:</span> <span style="font-size: 14px; margin-top: 8px; text-decoration: underline;">http://incapt.su/</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">You need to contact us on TOR darknet sites with your personal ID</span> <span style="font-size: 14px; margin-top: 8px;">Download and install Tor Browser https://www.torproject.org/</span> <span style="font-size: 14px; margin-top: 8px;">Write to the chat room and wait for an answer, we'll guarantee a response from you.</span> <span style="font-size: 14px; margin-top: 8px;">Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack tens of companies around the world.</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">Chat Tor Browser Link:</span> <span style="font-size: 14px; margin-top: 8px; text-decoration: underline;">http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">Your personal ID: </span> <span style="font-size: 14px; margin-top: 8px; text-decoration: underline;">E4FFEDDCC

Jump to dropped file

Yara detected INC Ransomware

Source: Yara match	File source: 00000000.00000003.2049780481.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2058728567.0000000000AA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2049590953.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2055621435.0000000002550000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2022940644.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2058573420.0000000002550000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2062331936.0000000000A0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2057493253.0000000002550000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jokLq9gHyc.exe PID: 7420, type: MEMORYSTR

Changes the wallpaper picture

Source: C:\Users\user\Desktop\jokLq9gHyc.exe

Key value created or modified: HKEY_CURRENT_USER\Control Panel\Desktop Wallpaper C:\Users\user\AppData\Local\Temp\\background-image.jpg

Jump to behavior

Contains functionalty to change the wallpaper

Source: C:\Users\user\Desktop\jokLq9gHyc.exe

0_2_00F56790

Found potential ransomware demand text

Source: jokLq9gHyc.exe, 00000000.00000003.2049780481.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory : -----> Your data is stolen and encrypted.
Source: jokLq9gHyc.exe, 00000000.00000003.2058728567.0000000000AA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory : -----> Your data is stolen and encrypted.
Source: jokLq9gHyc.exe, 00000000.00000003.2055621435.0000000002550000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory : -----> Your data is stolen and encrypted.
Source: jokLq9gHyc.exe, 00000000.00000003.2022940644.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory : -----> Your data is stolen and encrypted.
Source: jokLq9gHyc.exe, 00000000.00000003.2022940644.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory : <span style="font-size: 20px; font-weight: 600;">Your data is stolen and encrypted.</span>
Source: jokLq9gHyc.exe, 00000000.00000002.2062331936.0000000000A0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory : -----> Your data is stolen and encrypted.
Source: jokLq9gHyc.exe, 00000000.00000002.2062331936.0000000000A0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory : <span style="font-size: 20px; font-weight: 600;">Your data is stolen and encrypted.</span>
Source: INC-README.txt194.0.dr	String found in binary or memory : -----> Your data is stolen and encrypted.
Source: INC-README.html22.0.dr	String found in binary or memory : <span style="font-size: 20px; font-weight: 600;">Your data is stolen and encrypted.</span>
Source: INC-README.html151.0.dr	String found in binary or memory : <span style="font-size: 20px; font-weight: 600;">Your data is stolen and encrypted.</span>
Source: INC-README.html182.0.dr	String found in binary or memory : <span style="font-size: 20px; font-weight: 600;">Your data is stolen and encrypted.</span>
Source: INC-README.txt233.0.dr	String found in binary or memory : -----> Your data is stolen and encrypted.
Source: INC-README.txt197.0.dr	String found in binary or memory : -----> Your data is stolen and encrypted.
Source: INC-README.txt187.0.dr	String found in binary or memory : -----> Your data is stolen and encrypted.
Source: INC-README.txt59.0.dr	String found in binary or memory : -----> Your data is stolen and encrypted.
Source: INC-README.txt201.0.dr	String found in binary or memory : -----> Your data is stolen and encrypted.
Source: INC-README.txt110.0.dr	String found in binary or memory : -----> Your data is stolen and encrypted.
Source: INC-README.txt85.0.dr	String found in binary or memory : -----> Your data is stolen and encrypted.
Source: INC-README.txt16.0.dr	String found in binary or memory : -----> Your data is stolen and encrypted.
Source: INC-README.html147.0.dr	String found in binary or memory : <span style="font-size: 20px; font-weight: 600;">Your data is stolen and encrypted.</span>
Source: INC-README.html89.0.dr	String found in binary or memory : <span style="font-size: 20px; font-weight: 600;">Your data is stolen and encrypted.</span>
Source: INC-README.html161.0.dr	String found in binary or memory : <span style="font-size: 20px; font-weight: 600;">Your data is stolen and encrypted.</span>
Source: INC-README.html2.0.dr	String found in binary or memory : <span style="font-size: 20px; font-weight: 600;">Your data is stolen and encrypted.</span>
Source: INC-README.txt103.0.dr	String found in binary or memory : -----> Your data is stolen and encrypted.
Source: INC-README.html232.0.dr	String found in binary or memory : <span style="font-size: 20px; font-weight: 600;">Your data is stolen and encrypted.</span>
Source: INC-README.txt49.0.dr	String found in binary or memory : -----> Your data is stolen and encrypted.
Source: INC-README.txt71.0.dr	String found in binary or memory : -----> Your data is stolen and encrypted.
Source: INC-README.txt158.0.dr	String found in binary or memory : -----> Your data is stolen and encrypted.
Source: INC-README.txt56.0.dr	String found in binary or memory : -----> Your data is stolen and encrypted.
Source: INC-README.html30.0.dr	String found in binary or memory : <span style="font-size: 20px; font-weight: 600;">Your data is stolen and encrypted.</span>
Source: INC-README.txt30.0.dr	String found in binary or memory : -----> Your data is stolen and encrypted.
Source: INC-README.html197.0.dr	String found in binary or memory : <span style="font-size: 20px; font-weight: 600;">Your data is stolen and encrypted.</span>
Source: INC-README.txt74.0.dr	String found in binary or memory : -----> Your data is stolen and encrypted.
Source: INC-README.txt46.0.dr	String found in binary or memory : -----> Your data is stolen and encrypted.
Source: INC-README.txt47.0.dr	String found in binary or memory : -----> Your data is stolen and encrypted.
Source: INC-README.txt96.0.dr	String found in binary or memory : -----> Your data is stolen and encrypted.
Source: INC-README.html214.0.dr	String found in binary or memory : <span style="font-size: 20px; font-weight: 600;">Your data is stolen and encrypted.</span>
Source: INC-README.txt212.0.dr	String found in binary or memory : -----> Your data is stolen and encrypted.
Source: INC-README.html158.0.dr	String found in binary or memory : <span style="font-size: 20px; font-weight: 600;">Your data is stolen and encrypted.</span>
Source: INC-README.txt167.0.dr	String found in binary or memory : -----> Your data is stolen and encrypted.
Source: INC-README.txt84.0.dr	String found in binary or memory : -----> Your data is stolen and encrypted.
Source: INC-README.txt123.0.dr	String found in binary or memory : -----> Your data is stolen and encrypted.
Source: INC-README.html25.0.dr	String found in binary or memory : <span style="font-size: 20px; font-weight: 600;">Your data is stolen and encrypted.</span>
Source: INC-README.html94.0.dr	String found in binary or memory : <span style="font-size: 20px; font-weight: 600;">Your data is stolen and encrypted.</span>
Source: INC-README.html62.0.dr	String found in binary or memory : <span style="font-size: 20px; font-weight: 600;">Your data is stolen and encrypted.</span>
Source: INC-README.html9.0.dr	String found in binary or memory : <span style="font-size: 20px; font-weight: 600;">Your data is stolen and encrypted.</span>
Source: INC-README.txt244.0.dr	String found in binary or memory : -----> Your data is stolen and encrypted.
Source: INC-README.txt53.0.dr	String found in binary or memory : -----> Your data is stolen and encrypted.
Source: INC-README.txt111.0.dr	String found in binary or memory : -----> Your data is stolen and encrypted.
Source: INC-README.html79.0.dr	String found in binary or memory : <span style="font-size: 20px; font-weight: 600;">Your data is stolen and encrypted.</span>
Source: INC-README.txt234.0.dr	String found in binary or memory : -----> Your data is stolen and encrypted.
Source: INC-README.txt127.0.dr	String found in binary or memory : -----> Your data is stolen and encrypted.
Source: INC-README.html8.0.dr	String found in binary or memory : <span style="font-size: 20px; font-weight: 600;">Your data is stolen and encrypted.</span>
Source: INC-README.html132.0.dr	String found in binary or memory : <span style="font-size: 20px; font-weight: 600;">Your data is stolen and encrypted.</span>

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File moved: C:\Users\user\Desktop\NWTVCDUMOB.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File moved: C:\Users\user\Desktop\HTAGVDFUIE\DVWHKMNFNN.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File moved: C:\Users\user\Desktop\DVWHKMNFNN\RAYHIWGKDI.mp3	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File moved: C:\Users\user\Desktop\HTAGVDFUIE\HTAGVDFUIE.docx	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File moved: C:\Users\user\Desktop\DVWHKMNFNN\JSDNGYCOWY.jpg	Jump to behavior

Writes a notice file (html or txt) to demand a ransom

Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File dropped: C:\INC-README.html -> decryption software and destroy the stolen data.</span> <span style="font-size: 14px; margin-top: 8px;">after you pay the ransom, you will quickly restore your systems and make even more money.</span> <span style="font-size: 14px; margin-top: 8px;">treat this situation simply as a paid training for your system administrators, because it is due to your corporate network not being properly configured that we were able to attack you.</span> <span style="font-size: 14px; margin-top: 8px;">our pentest services should be paid just like you pay the salaries of your system administrators. get over it and pay for it.</span> <span style="font-size: 14px; margin-top: 8px;">if we don't give you a decryptor or delete your data after you pay, no one will pay us in the future.</span> <span style="font-size: 14px; margin-top: 8px;">you can get more information about us on twitter https://twitter.com/hashtag/incransom?f=li	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File dropped: C:\INC-README.txt -> decryption software and destroy the stolen data.after you pay the ransom, you will quickly restore your systems and make even more money.treat this situation simply as a paid training for your system administrators, because it is due to your corporate network not being properly configured that we were able to attack you.our pentest services should be paid just like you pay the salaries of your system administrators. get over it and pay for it.if we don't give you a decryptor or delete your data after you pay, no one will pay us in the future.you can get more information about us on twitter https://twitter.com/hashtag/incransom?f=live-----> you need to contact us on tor darknet sites with your personal iddownload and install tor browser https://www.torproject.org/write to the chat room and wait for an answer, we'll guarantee a response from you.sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack tens of companies around the world.	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File dropped: C:\$WinREAgent\INC-README.html -> decryption software and destroy the stolen data.</span> <span style="font-size: 14px; margin-top: 8px;">after you pay the ransom, you will quickly restore your systems and make even more money.</span> <span style="font-size: 14px; margin-top: 8px;">treat this situation simply as a paid training for your system administrators, because it is due to your corporate network not being properly configured that we were able to attack you.</span> <span style="font-size: 14px; margin-top: 8px;">our pentest services should be paid just like you pay the salaries of your system administrators. get over it and pay for it.</span> <span style="font-size: 14px; margin-top: 8px;">if we don't give you a decryptor or delete your data after you pay, no one will pay us in the future.</span> <span style="font-size: 14px; margin-top: 8px;">you can get more information about us on twitter https://twitter.com/hashtag/incransom?f=li	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File dropped: C:\$WinREAgent\INC-README.txt -> decryption software and destroy the stolen data.after you pay the ransom, you will quickly restore your systems and make even more money.treat this situation simply as a paid training for your system administrators, because it is due to your corporate network not being properly configured that we were able to attack you.our pentest services should be paid just like you pay the salaries of your system administrators. get over it and pay for it.if we don't give you a decryptor or delete your data after you pay, no one will pay us in the future.you can get more information about us on twitter https://twitter.com/hashtag/incransom?f=live-----> you need to contact us on tor darknet sites with your personal iddownload and install tor browser https://www.torproject.org/write to the chat room and wait for an answer, we'll guarantee a response from you.sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack tens of companies around the world.	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File dropped: C:\$WinREAgent\Scratch\INC-README.html -> decryption software and destroy the stolen data.</span> <span style="font-size: 14px; margin-top: 8px;">after you pay the ransom, you will quickly restore your systems and make even more money.</span> <span style="font-size: 14px; margin-top: 8px;">treat this situation simply as a paid training for your system administrators, because it is due to your corporate network not being properly configured that we were able to attack you.</span> <span style="font-size: 14px; margin-top: 8px;">our pentest services should be paid just like you pay the salaries of your system administrators. get over it and pay for it.</span> <span style="font-size: 14px; margin-top: 8px;">if we don't give you a decryptor or delete your data after you pay, no one will pay us in the future.</span> <span style="font-size: 14px; margin-top: 8px;">you can get more information about us on twitter https://twitter.com/hashtag/incransom?f=li	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File dropped: C:\$WinREAgent\Scratch\INC-README.txt -> decryption software and destroy the stolen data.after you pay the ransom, you will quickly restore your systems and make even more money.treat this situation simply as a paid training for your system administrators, because it is due to your corporate network not being properly configured that we were able to attack you.our pentest services should be paid just like you pay the salaries of your system administrators. get over it and pay for it.if we don't give you a decryptor or delete your data after you pay, no one will pay us in the future.you can get more information about us on twitter https://twitter.com/hashtag/incransom?f=live-----> you need to contact us on tor darknet sites with your personal iddownload and install tor browser https://www.torproject.org/write to the chat room and wait for an answer, we'll guarantee a response from you.sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack tens of companies around the world.	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File dropped: C:\PerfLogs\INC-README.html -> decryption software and destroy the stolen data.</span> <span style="font-size: 14px; margin-top: 8px;">after you pay the ransom, you will quickly restore your systems and make even more money.</span> <span style="font-size: 14px; margin-top: 8px;">treat this situation simply as a paid training for your system administrators, because it is due to your corporate network not being properly configured that we were able to attack you.</span> <span style="font-size: 14px; margin-top: 8px;">our pentest services should be paid just like you pay the salaries of your system administrators. get over it and pay for it.</span> <span style="font-size: 14px; margin-top: 8px;">if we don't give you a decryptor or delete your data after you pay, no one will pay us in the future.</span> <span style="font-size: 14px; margin-top: 8px;">you can get more information about us on twitter https://twitter.com/hashtag/incransom?f=li	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File dropped: C:\PerfLogs\INC-README.txt -> decryption software and destroy the stolen data.after you pay the ransom, you will quickly restore your systems and make even more money.treat this situation simply as a paid training for your system administrators, because it is due to your corporate network not being properly configured that we were able to attack you.our pentest services should be paid just like you pay the salaries of your system administrators. get over it and pay for it.if we don't give you a decryptor or delete your data after you pay, no one will pay us in the future.you can get more information about us on twitter https://twitter.com/hashtag/incransom?f=live-----> you need to contact us on tor darknet sites with your personal iddownload and install tor browser https://www.torproject.org/write to the chat room and wait for an answer, we'll guarantee a response from you.sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack tens of companies around the world.	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File dropped: C:\ProgramData\INC-README.html -> decryption software and destroy the stolen data.</span> <span style="font-size: 14px; margin-top: 8px;">after you pay the ransom, you will quickly restore your systems and make even more money.</span> <span style="font-size: 14px; margin-top: 8px;">treat this situation simply as a paid training for your system administrators, because it is due to your corporate network not being properly configured that we were able to attack you.</span> <span style="font-size: 14px; margin-top: 8px;">our pentest services should be paid just like you pay the salaries of your system administrators. get over it and pay for it.</span> <span style="font-size: 14px; margin-top: 8px;">if we don't give you a decryptor or delete your data after you pay, no one will pay us in the future.</span> <span style="font-size: 14px; margin-top: 8px;">you can get more information about us on twitter https://twitter.com/hashtag/incransom?f=li	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File dropped: C:\ProgramData\INC-README.txt -> decryption software and destroy the stolen data.after you pay the ransom, you will quickly restore your systems and make even more money.treat this situation simply as a paid training for your system administrators, because it is due to your corporate network not being properly configured that we were able to attack you.our pentest services should be paid just like you pay the salaries of your system administrators. get over it and pay for it.if we don't give you a decryptor or delete your data after you pay, no one will pay us in the future.you can get more information about us on twitter https://twitter.com/hashtag/incransom?f=live-----> you need to contact us on tor darknet sites with your personal iddownload and install tor browser https://www.torproject.org/write to the chat room and wait for an answer, we'll guarantee a response from you.sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack tens of companies around the world.	Jump to dropped file

Writes many files with high entropy

Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\uk-UA\MpAsDesc.dll.mui entropy: 7.9973458578	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\uk-UA\mpuxagent.dll.mui entropy: 7.99401697587	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ur-PK\mpuxagent.dll.mui entropy: 7.99447001449	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\vi-VN\MpAsDesc.dll.mui entropy: 7.99742812652	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\vi-VN\mpuxagent.dll.mui entropy: 7.99479709207	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\en-GB\mpasdesc.dll.mui entropy: 7.99655422948	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\en-US\MpAsDesc.dll.mui entropy: 7.99653065208	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\zh-CN\MpAsDesc.dll.mui entropy: 7.99343895673	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\zh-CN\mpuxagent.dll.mui entropy: 7.99064246064	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\zh-CN\MpEvMsg.dll.mui entropy: 7.99419432061	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\zh-CN\ProtectionManagement.dll.mui entropy: 7.99581859009	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\zh-TW\MpAsDesc.dll.mui entropy: 7.99401393318	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\zh-TW\MpEvMsg.dll.mui entropy: 7.99505470706	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\zh-TW\mpuxagent.dll.mui entropy: 7.99075534842	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\zh-TW\ProtectionManagement.dll.mui entropy: 7.99576586066	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\id-ID\MpAsDesc.dll.mui entropy: 7.99716458866	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\id-ID\mpuxagent.dll.mui entropy: 7.9941949191	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\is-IS\mpuxagent.dll.mui entropy: 7.99512252582	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\it-IT\MpAsDesc.dll.mui entropy: 7.9968871305	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\it-IT\MpEvMsg.dll.mui entropy: 7.99652531712	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\it-IT\mpuxagent.dll.mui entropy: 7.99510643401	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\1A4B1382-EEB5-4D59-B0FA-B93F83A518E1-0.bin entropy: 7.99949995393	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\it-IT\ProtectionManagement.dll.mui entropy: 7.99723716675	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ja-JP\MpAsDesc.dll.mui entropy: 7.99561656616	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ja-JP\MpEvMsg.dll.mui entropy: 7.99529381708	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ja-JP\mpuxagent.dll.mui entropy: 7.99241457298	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ja-JP\ProtectionManagement.dll.mui entropy: 7.99576993742	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ka-GE\mpuxagent.dll.mui entropy: 7.99446667444	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\kk-KZ\mpuxagent.dll.mui entropy: 7.99474691329	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\km-KH\mpuxagent.dll.mui entropy: 7.99449646803	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\kn-IN\mpuxagent.dll.mui entropy: 7.9950352202	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ko-KR\MpAsDesc.dll.mui entropy: 7.99602405898	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ko-KR\MpEvMsg.dll.mui entropy: 7.99549092261	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ko-KR\mpuxagent.dll.mui entropy: 7.99210200742	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ko-KR\ProtectionManagement.dll.mui entropy: 7.99606605201	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\kok-IN\mpuxagent.dll.mui entropy: 7.99504824624	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\lb-LU\mpuxagent.dll.mui entropy: 7.99497082461	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\lo-LA\mpuxagent.dll.mui entropy: 7.9946717805	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\lt-LT\mpuxagent.dll.mui entropy: 7.99392560868	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\lt-LT\MpAsDesc.dll.mui entropy: 7.99719797414	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\lv-LV\MpAsDesc.dll.mui entropy: 7.99724019837	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\lv-LV\mpuxagent.dll.mui entropy: 7.99432056604	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mi-NZ\mpuxagent.dll.mui entropy: 7.99440206642	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpasbase.lkg entropy: 7.99998619676	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpasdlta.vdm entropy: 7.99988935684	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpavbase.lkg entropy: 7.99997723061	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.lkg entropy: 7.99994017881	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpavdlta.lkg entropy: 7.99982476639	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\Microsoft-Antimalware-Service.man entropy: 7.99323101723	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\Microsoft-Windows-Windows Defender.man entropy: 7.99879028028	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\MpAsBase.vdm entropy: 7.9999780097	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\MpAsDlta.vdm entropy: 7.99942648872	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\MpAvBase.vdm entropy: 7.9999759191	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mk-MK\mpuxagent.dll.mui entropy: 7.9939936255	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\MpAvDlta.vdm entropy: 7.99969453716	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ml-IN\mpuxagent.dll.mui entropy: 7.9948457671	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mr-IN\mpuxagent.dll.mui entropy: 7.99517442906	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ms-MY\mpuxagent.dll.mui entropy: 7.9951784993	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mt-MT\mpuxagent.dll.mui entropy: 7.99481871435	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{744D5067-632F-490D-A7F8-522F3DDB7ACB}\mpasbase.vdm entropy: 7.9999836608	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\nb-NO\MpAsDesc.dll.mui entropy: 7.99725431293	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\nb-NO\mpuxagent.dll.mui entropy: 7.99319614944	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\nb-NO\MpEvMsg.dll.mui entropy: 7.99692537406	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{744D5067-632F-490D-A7F8-522F3DDB7ACB}\mpavdlta.vdm entropy: 7.99832174775	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ne-NP\mpuxagent.dll.mui entropy: 7.99490824211	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\nl-NL\MpAsDesc.dll.mui entropy: 7.997204805	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{744D5067-632F-490D-A7F8-522F3DDB7ACB}\mpasdlta.vdm entropy: 7.99981887795	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\nl-NL\MpEvMsg.dll.mui entropy: 7.99721576717	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{744D5067-632F-490D-A7F8-522F3DDB7ACB}\mpavbase.vdm entropy: 7.99997181962	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\nl-NL\mpuxagent.dll.mui entropy: 7.99430112126	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\Diagtrack-Listener.etl entropy: 7.99928813905	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\nn-NO\mpuxagent.dll.mui entropy: 7.99393655774	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\EventStore.db entropy: 7.99840282832	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\or-IN\mpuxagent.dll.mui entropy: 7.99501423362	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\ScenariosSqlStore\EventStore.db entropy: 7.99455111405	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\af-ZA\mpuxagent.dll.mui entropy: 7.99541364394	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\am-ET\mpuxagent.dll.mui entropy: 7.99299584601	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ar-SA\MpAsDesc.dll.mui entropy: 7.99690554879	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ar-SA\mpuxagent.dll.mui entropy: 7.99333789735	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\az-Latn-AZ\mpuxagent.dll.mui entropy: 7.99487364788	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\bg-BG\mpuxagent.dll.mui entropy: 7.99526857284	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\bg-BG\MpAsDesc.dll.mui entropy: 7.99683078898	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\as-IN\mpuxagent.dll.mui entropy: 7.99340871356	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\bn-IN\mpuxagent.dll.mui entropy: 7.99449279706	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\bs-Latn-BA\mpuxagent.dll.mui entropy: 7.99536819531	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ca-ES\mpuxagent.dll.mui entropy: 7.99467898964	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ca-ES\MpAsDesc.dll.mui entropy: 7.99723941492	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\TenantStorage\P-ARIA\EventStore.db entropy: 7.99288617108	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ca-ES-valencia\mpuxagent.dll.mui entropy: 7.99535729541	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\cs-CZ\mpuxagent.dll.mui entropy: 7.99300633855	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\cs-CZ\MpAsDesc.dll.mui entropy: 7.99667227615	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_Autopilot_2023_10_3_9_57_25.etl entropy: 7.99978831733	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\Catalogs\IGD.CAT entropy: 7.99596189649	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_Autopilot_2023_10_3_9_59_39.etl entropy: 7.99971621672	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\cs-CZ\MpEvMsg.dll.mui entropy: 7.99673736162	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_DeviceProvisioning_2023_10_4_9_46_43.etl entropy: 7.99916746549	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_DeviceProvisioning_2023_10_3_8_56_48.etl entropy: 7.9993755479	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\cy-GB\mpuxagent.dll.mui entropy: 7.99445270657	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log entropy: 7.99938677062	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\pa-IN\mpuxagent.dll.mui entropy: 7.99449178235	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\pl-PL\MpAsDesc.dll.mui entropy: 7.99742284987	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\pl-PL\MpEvMsg.dll.mui entropy: 7.99681718594	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-0488A702D8A6400042FFB1D7ADF4EEF36AD772FD.bin entropy: 7.99996083372	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-0488A702D8A6400042FFB1D7ADF4EEF36AD772FD.bin.01 entropy: 7.99981580602	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\pl-PL\mpuxagent.dll.mui entropy: 7.99471007352	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-0488A702D8A6400042FFB1D7ADF4EEF36AD772FD.bin.67 entropy: 7.99996499217	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-0488A702D8A6400042FFB1D7ADF4EEF36AD772FD.bin.6C entropy: 7.99981387794	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-0488A702D8A6400042FFB1D7ADF4EEF36AD772FD.bin.80 entropy: 7.99991319684	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-0488A702D8A6400042FFB1D7ADF4EEF36AD772FD.bin.87 entropy: 7.99982427496	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\Powershell\MSFT_MpPerformanceRecording.psm1 entropy: 7.99770689023	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-0488A702D8A6400042FFB1D7ADF4EEF36AD772FD.bin.7E entropy: 7.99995852018	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\Powershell\MSFT_MpPerformanceReport.Format.ps1xml entropy: 7.99819463794	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\Powershell\MSFT_MpPreference.cdxml entropy: 7.99836100428	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-0488A702D8A6400042FFB1D7ADF4EEF36AD772FD.bin.83 entropy: 7.99981702885	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-0488A702D8A6400042FFB1D7ADF4EEF36AD772FD.bin.7C entropy: 7.99991657212	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-0488A702D8A6400042FFB1D7ADF4EEF36AD772FD.bin.79 entropy: 7.99998089944	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-0488A702D8A6400042FFB1D7ADF4EEF36AD772FD.bin.E6 entropy: 7.99741529084	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-0488A702D8A6400042FFB1D7ADF4EEF36AD772FD.bin.A0 entropy: 7.99994416675	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.db entropy: 7.99973358173	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-0488A702D8A6400042FFB1D7ADF4EEF36AD772FD.bin.DB entropy: 7.99981002308	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ProtectionManagement.mof entropy: 7.99827746027	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\pt-BR\MpAsDesc.dll.mui entropy: 7.99662108557	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\pt-BR\MpEvMsg.dll.mui entropy: 7.99710225696	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\pt-BR\mpuxagent.dll.mui entropy: 7.99406922349	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\pt-BR\ProtectionManagement.dll.mui entropy: 7.99719492151	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\pt-PT\MpAsDesc.dll.mui entropy: 7.99773287209	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\pt-PT\MpEvMsg.dll.mui entropy: 7.99689069877	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\pt-PT\mpuxagent.dll.mui entropy: 7.99466739158	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\quz-PE\mpuxagent.dll.mui entropy: 7.99510925439	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ro-RO\MpAsDesc.dll.mui entropy: 7.99734467686	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\da-DK\MpAsDesc.dll.mui entropy: 7.99727234247	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ro-RO\mpuxagent.dll.mui entropy: 7.99442889264	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\da-DK\MpEvMsg.dll.mui entropy: 7.99698745328	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\da-DK\mpuxagent.dll.mui entropy: 7.99447647894	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ru-RU\MpAsDesc.dll.mui entropy: 7.99729933333	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ru-RU\MpEvMsg.dll.mui entropy: 7.99710076097	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ru-RU\mpuxagent.dll.mui entropy: 7.99519830202	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\de-DE\MpAsDesc.dll.mui entropy: 7.99724944876	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\de-DE\MpEvMsg.dll.mui entropy: 7.99673824098	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ru-RU\ProtectionManagement.dll.mui entropy: 7.99743614532	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\de-DE\mpuxagent.dll.mui entropy: 7.99476728239	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sk-SK\MpAsDesc.dll.mui entropy: 7.9969754338	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\de-DE\ProtectionManagement.dll.mui entropy: 7.9972552747	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sk-SK\mpuxagent.dll.mui entropy: 7.99474762167	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\Drivers\WdBoot.sys entropy: 7.99701150026	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\Drivers\WdDevFlt.sys entropy: 7.99921339686	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sl-SI\MpAsDesc.dll.mui entropy: 7.99727166505	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sl-SI\mpuxagent.dll.mui entropy: 7.99472271828	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\Drivers\WdNisDrv.sys entropy: 7.99787364947	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\Drivers\WdFilter.sys entropy: 7.99964976472	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\el-GR\MpAsDesc.dll.mui entropy: 7.99772726206	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sq-AL\mpuxagent.dll.mui entropy: 7.99448438079	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\el-GR\MpEvMsg.dll.mui entropy: 7.99667518866	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\el-GR\mpuxagent.dll.mui entropy: 7.99489193125	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sr-Cyrl-BA\mpuxagent.dll.mui entropy: 7.99541051865	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\en-GB\MpAsDesc.dll.mui entropy: 7.99665540135	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\en-GB\mpuxagent.dll.mui entropy: 7.99438739772	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sr-Cyrl-RS\mpuxagent.dll.mui entropy: 7.99451479406	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sr-Latn-RS\MpAsDesc.dll.mui entropy: 7.9970633226	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\en-US\MpAsDesc.dll.mui entropy: 7.99676541765	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sr-Latn-RS\mpuxagent.dll.mui entropy: 7.99462793093	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\en-US\mpuxagent.dll.mui entropy: 7.9951479192	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\en-US\MpEvMsg.dll.mui entropy: 7.99715480928	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sv-SE\MpAsDesc.dll.mui entropy: 7.99700968578	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sv-SE\MpEvMsg.dll.mui entropy: 7.99641191464	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\en-US\ProtectionManagement.dll.mui entropy: 7.99718550673	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\es-ES\MpAsDesc.dll.mui entropy: 7.99701020823	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\es-ES\MpEvMsg.dll.mui entropy: 7.99670159436	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sv-SE\mpuxagent.dll.mui entropy: 7.99402970486	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\es-ES\mpuxagent.dll.mui entropy: 7.99513272468	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\es-ES\ProtectionManagement.dll.mui entropy: 7.9972751478	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ta-IN\mpuxagent.dll.mui entropy: 7.99575788592	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\te-IN\mpuxagent.dll.mui entropy: 7.99435597764	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\es-MX\MpAsDesc.dll.mui entropy: 7.99729762978	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\th-TH\MpAsDesc.dll.mui entropy: 7.99648440519	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\es-MX\mpuxagent.dll.mui entropy: 7.99404099886	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\th-TH\mpuxagent.dll.mui entropy: 7.99433146155	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\et-EE\mpuxagent.dll.mui entropy: 7.99511473482	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\et-EE\MpAsDesc.dll.mui entropy: 7.99670879815	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\tr-TR\MpAsDesc.dll.mui entropy: 7.99723131522	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\eu-ES\mpuxagent.dll.mui entropy: 7.99395528802	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\tr-TR\MpEvMsg.dll.mui entropy: 7.99668717113	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\tr-TR\mpuxagent.dll.mui entropy: 7.99374039072	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fa-IR\mpuxagent.dll.mui entropy: 7.99418202114	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fi-FI\MpAsDesc.dll.mui entropy: 7.99673052729	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fi-FI\MpEvMsg.dll.mui entropy: 7.99620850986	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ug-CN\mpuxagent.dll.mui entropy: 7.99371063351	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\tt-RU\mpuxagent.dll.mui entropy: 7.9944409219	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fi-FI\mpuxagent.dll.mui entropy: 7.99416830883	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fil-PH\mpuxagent.dll.mui entropy: 7.99377888683	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fr-CA\MpAsDesc.dll.mui entropy: 7.99699156347	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fr-CA\mpuxagent.dll.mui entropy: 7.99438853674	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fr-FR\MpEvMsg.dll.mui entropy: 7.9968500272	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fr-FR\MpAsDesc.dll.mui entropy: 7.99773977871	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb.log entropy: 7.99765140488	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fr-FR\mpuxagent.dll.mui entropy: 7.99460498927	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb00001.log entropy: 7.99723679533	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fr-FR\ProtectionManagement.dll.mui entropy: 7.997358616	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb00002.log entropy: 7.99689252671	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb00003.log entropy: 7.99713315163	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00001.jrs entropy: 7.99746004132	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00002.jrs entropy: 7.99677955685	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ga-IE\mpuxagent.dll.mui entropy: 7.99491357432	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbtmp.log entropy: 7.99723339127	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db entropy: 7.99910785159	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\gd-GB\mpuxagent.dll.mui entropy: 7.99546367014	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\gl-ES\mpuxagent.dll.mui entropy: 7.99503292369	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\gu-IN\mpuxagent.dll.mui entropy: 7.99447114892	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.wordmui.msi.16.en-us.xml entropy: 7.99770651703	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\he-IL\MpAsDesc.dll.mui entropy: 7.99642440517	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.fr-fr.xml entropy: 7.99283774134	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\he-IL\mpuxagent.dll.mui entropy: 7.99390341244	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml entropy: 7.99778906458	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml entropy: 7.99855669711	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml entropy: 7.99824500759	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Storage Health\StorageHealthModel.dat entropy: 7.99970337294	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Word.Word.x-none.msi.16.x-none.xml entropy: 7.99822632447	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\hi-IN\mpuxagent.dll.mui entropy: 7.99490385961	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.shared.Office.x-none.msi.16.x-none.xml entropy: 7.9997814911	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\hr-HR\MpAsDesc.dll.mui entropy: 7.99703375319	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\hr-HR\mpuxagent.dll.mui entropy: 7.99448949839	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\hu-HU\MpAsDesc.dll.mui entropy: 7.99725372288	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win32.xml entropy: 7.9975688052	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\msoutilstat.etw.man entropy: 7.99837815103	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win64.xml entropy: 7.99728773989	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\hu-HU\mpuxagent.dll.mui entropy: 7.99487055892	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\hu-HU\MpEvMsg.dll.mui entropy: 7.99650375613	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win32.xml entropy: 7.99716539628	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win64.xml entropy: 7.997200001	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win32.xml entropy: 7.99657005487	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win64.xml entropy: 7.99758877511	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png entropy: 7.9985493817	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png entropy: 7.99564852326	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png entropy: 7.99322927408	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png entropy: 7.99498082373	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png entropy: 7.9984186458	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png entropy: 7.9943458994	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\User Account Pictures\guest.bmp entropy: 7.99967666851	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\User Account Pictures\user.bmp entropy: 7.99970162048	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\folder.ico entropy: 7.99640314032	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\netfol.ico entropy: 7.99362603876	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\pictures.ico entropy: 7.9978506595	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ringtones.ico entropy: 7.99595010423	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\settings.ico entropy: 7.99697566482	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\sync.ico entropy: 7.99620593007	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\MasterDescriptor.en-us.xml entropy: 7.99463084026	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\stream.x86.en-us.dat.cat entropy: 7.99711255485	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\stream.x86.en-us.db entropy: 7.99962164038	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\wmp.ico entropy: 7.99819848564	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\folder.ico entropy: 7.99598069368	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\print_pref.ico entropy: 7.99660388896	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\print_property.ico entropy: 7.99738044479	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\stream.x86.en-us.man.dat entropy: 7.99978889934	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\MasterDescriptor.x-none.xml entropy: 7.99510520161	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\stream.x86.x-none.dat.cat entropy: 7.99971831429	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\stream.x86.x-none.db entropy: 7.99531377197	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\print_queue.ico entropy: 7.99618000571	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\scan_.ico entropy: 7.99701385289	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\scan_settings.ico entropy: 7.99665069547	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\scan_property.ico entropy: 7.99734281851	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\AirSpace.Etw.man entropy: 7.99959177404	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Access.Access.x-none.msi.16.x-none.xml entropy: 7.99730569215	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.accessmui.msi.16.en-us.xml entropy: 7.99754275233	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json entropy: 7.99874465823	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json.bk entropy: 7.9988256328	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml entropy: 7.99896497977	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.excelmui.msi.16.en-us.xml entropy: 7.99461002016	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml entropy: 7.9975473822	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.lyncmui.msi.16.en-us.xml entropy: 7.99042993061	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.office64ww.msi.16.x-none.xml entropy: 7.99937393335	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.officemui.msi.16.en-us.xml entropy: 7.99858470781	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml entropy: 7.99823126034	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.app.json entropy: 7.99842000315	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.app.json.bk entropy: 7.99831342409	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.powerpointmui.msi.16.en-us.xml entropy: 7.99393877413	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.en-us.xml entropy: 7.99320792645	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.outlookmui.msi.16.en-us.xml entropy: 7.99861774224	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.es-es.xml entropy: 7.99185669294	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\MasterDescriptor.en-us.xml.INC (copy) entropy: 7.99463084026	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\stream.x86.en-us.dat.cat.INC (copy) entropy: 7.99711255485	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\stream.x86.en-us.db.INC (copy) entropy: 7.99962164038	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\stream.x86.en-us.man.dat.INC (copy) entropy: 7.99978889934	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\MasterDescriptor.x-none.xml.INC (copy) entropy: 7.99510520161	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\stream.x86.x-none.db.INC (copy) entropy: 7.99531377197	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\stream.x86.x-none.dat.cat.INC (copy) entropy: 7.99971831429	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\AirSpace.Etw.man.INC (copy) entropy: 7.99959177404	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Access.Access.x-none.msi.16.x-none.xml.INC (copy) entropy: 7.99730569215	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.accessmui.msi.16.en-us.xml.INC (copy) entropy: 7.99754275233	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.excelmui.msi.16.en-us.xml.INC (copy) entropy: 7.99461002016	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.lyncmui.msi.16.en-us.xml.INC (copy) entropy: 7.99042993061	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml.INC (copy) entropy: 7.99896497977	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.officemui.msi.16.en-us.xml.INC (copy) entropy: 7.99858470781	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.office64ww.msi.16.x-none.xml.INC (copy) entropy: 7.99937393335	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml.INC (copy) entropy: 7.9975473822	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml.INC (copy) entropy: 7.99823126034	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.es-es.xml.INC (copy) entropy: 7.99185669294	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.fr-fr.xml.INC (copy) entropy: 7.99283774134	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.en-us.xml.INC (copy) entropy: 7.99320792645	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.powerpointmui.msi.16.en-us.xml.INC (copy) entropy: 7.99393877413	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.wordmui.msi.16.en-us.xml.INC (copy) entropy: 7.99770651703	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml.INC (copy) entropy: 7.99778906458	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Word.Word.x-none.msi.16.x-none.xml.INC (copy) entropy: 7.99822632447	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml.INC (copy) entropy: 7.99824500759	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.shared.Office.x-none.msi.16.x-none.xml.INC (copy) entropy: 7.9997814911	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.outlookmui.msi.16.en-us.xml.INC (copy) entropy: 7.99861774224	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\msoutilstat.etw.man.INC (copy) entropy: 7.99837815103	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml.INC (copy) entropy: 7.99855669711	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.INC (copy) entropy: 7.99564852326	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.INC (copy) entropy: 7.9985493817	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.INC (copy) entropy: 7.99322927408	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.INC (copy) entropy: 7.99498082373	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.INC (copy) entropy: 7.9984186458	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.INC (copy) entropy: 7.9943458994	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\netfol.ico.INC (copy) entropy: 7.99362603876	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\folder.ico.INC (copy) entropy: 7.99640314032	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\pictures.ico.INC (copy) entropy: 7.9978506595	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ringtones.ico.INC (copy) entropy: 7.99595010423	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\settings.ico.INC (copy) entropy: 7.99697566482	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\sync.ico.INC (copy) entropy: 7.99620593007	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\wmp.ico.INC (copy) entropy: 7.99819848564	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\folder.ico.INC (copy) entropy: 7.99598069368	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\print_pref.ico.INC (copy) entropy: 7.99660388896	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\print_property.ico.INC (copy) entropy: 7.99738044479	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\print_queue.ico.INC (copy) entropy: 7.99618000571	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\scan_.ico.INC (copy) entropy: 7.99701385289	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\scan_settings.ico.INC (copy) entropy: 7.99665069547	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\scan_property.ico.INC (copy) entropy: 7.99734281851	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json.INC (copy) entropy: 7.99874465823	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json.bk.INC (copy) entropy: 7.9988256328	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.app.json.INC (copy) entropy: 7.99842000315	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.app.json.bk.INC (copy) entropy: 7.99831342409	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\Diagtrack-Listener.etl.INC (copy) entropy: 7.99928813905	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\EventStore.db.INC (copy) entropy: 7.99840282832	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\ScenariosSqlStore\EventStore.db.INC (copy) entropy: 7.99455111405	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\TenantStorage\P-ARIA\EventStore.db.INC (copy) entropy: 7.99288617108	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_Autopilot_2023_10_3_9_57_25.etl.INC (copy) entropy: 7.99978831733	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_DeviceProvisioning_2023_10_4_9_46_43.etl.INC (copy) entropy: 7.99916746549	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_DeviceProvisioning_2023_10_3_8_56_48.etl.INC (copy) entropy: 7.9993755479	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_Autopilot_2023_10_3_9_59_39.etl.INC (copy) entropy: 7.99971621672	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log.INC (copy) entropy: 7.99938677062	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb00001.log.INC (copy) entropy: 7.99723679533	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb00002.log.INC (copy) entropy: 7.99689252671	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb.log.INC (copy) entropy: 7.99765140488	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb00003.log.INC (copy) entropy: 7.99713315163	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00001.jrs.INC (copy) entropy: 7.99746004132	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00002.jrs.INC (copy) entropy: 7.99677955685	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbtmp.log.INC (copy) entropy: 7.99723339127	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db.INC (copy) entropy: 7.99910785159	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Storage Health\StorageHealthModel.dat.INC (copy) entropy: 7.99970337294	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win32.xml.INC (copy) entropy: 7.9975688052	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win64.xml.INC (copy) entropy: 7.99728773989	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win32.xml.INC (copy) entropy: 7.99716539628	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win64.xml.INC (copy) entropy: 7.997200001	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win32.xml.INC (copy) entropy: 7.99657005487	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win64.xml.INC (copy) entropy: 7.99758877511	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.INC (copy) entropy: 7.99967666851	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\User Account Pictures\user.bmp.INC (copy) entropy: 7.99970162048	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpasdlta.vdm.INC (copy) entropy: 7.99988935684	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpavdlta.lkg.INC (copy) entropy: 7.99982476639	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\MpAsDlta.vdm.INC (copy) entropy: 7.99942648872	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\MpAvDlta.vdm.INC (copy) entropy: 7.99969453716	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{744D5067-632F-490D-A7F8-522F3DDB7ACB}\mpasdlta.vdm.INC (copy) entropy: 7.99981887795	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{744D5067-632F-490D-A7F8-522F3DDB7ACB}\mpavdlta.vdm.INC (copy) entropy: 7.99832174775	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.lkg.INC (copy) entropy: 7.99994017881	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\af-ZA\mpuxagent.dll.mui.INC (copy) entropy: 7.99541364394	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\bg-BG\mpuxagent.dll.mui.INC (copy) entropy: 7.99526857284	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ar-SA\mpuxagent.dll.mui.INC (copy) entropy: 7.99333789735	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\am-ET\mpuxagent.dll.mui.INC (copy) entropy: 7.99299584601	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\az-Latn-AZ\mpuxagent.dll.mui.INC (copy) entropy: 7.99487364788	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\as-IN\mpuxagent.dll.mui.INC (copy) entropy: 7.99340871356	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\bg-BG\MpAsDesc.dll.mui.INC (copy) entropy: 7.99683078898	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ar-SA\MpAsDesc.dll.mui.INC (copy) entropy: 7.99690554879	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\bs-Latn-BA\mpuxagent.dll.mui.INC (copy) entropy: 7.99536819531	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ca-ES\mpuxagent.dll.mui.INC (copy) entropy: 7.99467898964	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\bn-IN\mpuxagent.dll.mui.INC (copy) entropy: 7.99449279706	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ca-ES\MpAsDesc.dll.mui.INC (copy) entropy: 7.99723941492	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ca-ES-valencia\mpuxagent.dll.mui.INC (copy) entropy: 7.99535729541	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpavbase.lkg.INC (copy) entropy: 7.99997723061	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\MpAvBase.vdm.INC (copy) entropy: 7.9999759191	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\MpAsBase.vdm.INC (copy) entropy: 7.9999780097	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{744D5067-632F-490D-A7F8-522F3DDB7ACB}\mpavbase.vdm.INC (copy) entropy: 7.99997181962	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\cs-CZ\mpuxagent.dll.mui.INC (copy) entropy: 7.99300633855	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\cs-CZ\MpAsDesc.dll.mui.INC (copy) entropy: 7.99667227615	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\Catalogs\IGD.CAT.INC (copy) entropy: 7.99596189649	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\cs-CZ\MpEvMsg.dll.mui.INC (copy) entropy: 7.99673736162	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpasbase.lkg.INC (copy) entropy: 7.99998619676	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{744D5067-632F-490D-A7F8-522F3DDB7ACB}\mpasbase.vdm.INC (copy) entropy: 7.9999836608	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\cy-GB\mpuxagent.dll.mui.INC (copy) entropy: 7.99445270657	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\da-DK\MpAsDesc.dll.mui.INC (copy) entropy: 7.99727234247	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\da-DK\MpEvMsg.dll.mui.INC (copy) entropy: 7.99698745328	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\da-DK\mpuxagent.dll.mui.INC (copy) entropy: 7.99447647894	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\de-DE\MpAsDesc.dll.mui.INC (copy) entropy: 7.99724944876	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\de-DE\MpEvMsg.dll.mui.INC (copy) entropy: 7.99673824098	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\de-DE\mpuxagent.dll.mui.INC (copy) entropy: 7.99476728239	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\de-DE\ProtectionManagement.dll.mui.INC (copy) entropy: 7.9972552747	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\Drivers\WdBoot.sys.INC (copy) entropy: 7.99701150026	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\Drivers\WdDevFlt.sys.INC (copy) entropy: 7.99921339686	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\Drivers\WdNisDrv.sys.INC (copy) entropy: 7.99787364947	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\Drivers\WdFilter.sys.INC (copy) entropy: 7.99964976472	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\el-GR\MpAsDesc.dll.mui.INC (copy) entropy: 7.99772726206	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\el-GR\MpEvMsg.dll.mui.INC (copy) entropy: 7.99667518866	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\el-GR\mpuxagent.dll.mui.INC (copy) entropy: 7.99489193125	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\en-GB\MpAsDesc.dll.mui.INC (copy) entropy: 7.99665540135	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\en-GB\mpuxagent.dll.mui.INC (copy) entropy: 7.99438739772	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\en-US\MpAsDesc.dll.mui.INC (copy) entropy: 7.99676541765	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\en-US\mpuxagent.dll.mui.INC (copy) entropy: 7.9951479192	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\en-US\MpEvMsg.dll.mui.INC (copy) entropy: 7.99715480928	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\en-US\ProtectionManagement.dll.mui.INC (copy) entropy: 7.99718550673	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\es-ES\MpAsDesc.dll.mui.INC (copy) entropy: 7.99701020823	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\es-ES\MpEvMsg.dll.mui.INC (copy) entropy: 7.99670159436	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\es-ES\mpuxagent.dll.mui.INC (copy) entropy: 7.99513272468	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\es-ES\ProtectionManagement.dll.mui.INC (copy) entropy: 7.9972751478	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\es-MX\MpAsDesc.dll.mui.INC (copy) entropy: 7.99729762978	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\es-MX\mpuxagent.dll.mui.INC (copy) entropy: 7.99404099886	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\et-EE\mpuxagent.dll.mui.INC (copy) entropy: 7.99511473482	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\et-EE\MpAsDesc.dll.mui.INC (copy) entropy: 7.99670879815	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\eu-ES\mpuxagent.dll.mui.INC (copy) entropy: 7.99395528802	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fa-IR\mpuxagent.dll.mui.INC (copy) entropy: 7.99418202114	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fi-FI\MpAsDesc.dll.mui.INC (copy) entropy: 7.99673052729	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fi-FI\MpEvMsg.dll.mui.INC (copy) entropy: 7.99620850986	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fi-FI\mpuxagent.dll.mui.INC (copy) entropy: 7.99416830883	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fil-PH\mpuxagent.dll.mui.INC (copy) entropy: 7.99377888683	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fr-CA\MpAsDesc.dll.mui.INC (copy) entropy: 7.99699156347	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fr-CA\mpuxagent.dll.mui.INC (copy) entropy: 7.99438853674	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fr-FR\MpEvMsg.dll.mui.INC (copy) entropy: 7.9968500272	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fr-FR\MpAsDesc.dll.mui.INC (copy) entropy: 7.99773977871	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fr-FR\mpuxagent.dll.mui.INC (copy) entropy: 7.99460498927	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fr-FR\ProtectionManagement.dll.mui.INC (copy) entropy: 7.997358616	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ga-IE\mpuxagent.dll.mui.INC (copy) entropy: 7.99491357432	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\gd-GB\mpuxagent.dll.mui.INC (copy) entropy: 7.99546367014	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\gl-ES\mpuxagent.dll.mui.INC (copy) entropy: 7.99503292369	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\gu-IN\mpuxagent.dll.mui.INC (copy) entropy: 7.99447114892	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\he-IL\MpAsDesc.dll.mui.INC (copy) entropy: 7.99642440517	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\he-IL\mpuxagent.dll.mui.INC (copy) entropy: 7.99390341244	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\hi-IN\mpuxagent.dll.mui.INC (copy) entropy: 7.99490385961	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\hr-HR\MpAsDesc.dll.mui.INC (copy) entropy: 7.99703375319	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\hr-HR\mpuxagent.dll.mui.INC (copy) entropy: 7.99448949839	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\hu-HU\MpAsDesc.dll.mui.INC (copy) entropy: 7.99725372288	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\hu-HU\mpuxagent.dll.mui.INC (copy) entropy: 7.99487055892	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\hu-HU\MpEvMsg.dll.mui.INC (copy) entropy: 7.99650375613	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\id-ID\MpAsDesc.dll.mui.INC (copy) entropy: 7.99716458866	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\id-ID\mpuxagent.dll.mui.INC (copy) entropy: 7.9941949191	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\is-IS\mpuxagent.dll.mui.INC (copy) entropy: 7.99512252582	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\it-IT\MpAsDesc.dll.mui.INC (copy) entropy: 7.9968871305	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\it-IT\MpEvMsg.dll.mui.INC (copy) entropy: 7.99652531712	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\it-IT\mpuxagent.dll.mui.INC (copy) entropy: 7.99510643401	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\it-IT\ProtectionManagement.dll.mui.INC (copy) entropy: 7.99723716675	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ja-JP\MpAsDesc.dll.mui.INC (copy) entropy: 7.99561656616	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ja-JP\MpEvMsg.dll.mui.INC (copy) entropy: 7.99529381708	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ja-JP\mpuxagent.dll.mui.INC (copy) entropy: 7.99241457298	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ja-JP\ProtectionManagement.dll.mui.INC (copy) entropy: 7.99576993742	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ka-GE\mpuxagent.dll.mui.INC (copy) entropy: 7.99446667444	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\kk-KZ\mpuxagent.dll.mui.INC (copy) entropy: 7.99474691329	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\km-KH\mpuxagent.dll.mui.INC (copy) entropy: 7.99449646803	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\kn-IN\mpuxagent.dll.mui.INC (copy) entropy: 7.9950352202	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ko-KR\MpAsDesc.dll.mui.INC (copy) entropy: 7.99602405898	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ko-KR\MpEvMsg.dll.mui.INC (copy) entropy: 7.99549092261	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ko-KR\mpuxagent.dll.mui.INC (copy) entropy: 7.99210200742	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ko-KR\ProtectionManagement.dll.mui.INC (copy) entropy: 7.99606605201	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\kok-IN\mpuxagent.dll.mui.INC (copy) entropy: 7.99504824624	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\lb-LU\mpuxagent.dll.mui.INC (copy) entropy: 7.99497082461	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\lo-LA\mpuxagent.dll.mui.INC (copy) entropy: 7.9946717805	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\lt-LT\mpuxagent.dll.mui.INC (copy) entropy: 7.99392560868	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\lt-LT\MpAsDesc.dll.mui.INC (copy) entropy: 7.99719797414	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\lv-LV\MpAsDesc.dll.mui.INC (copy) entropy: 7.99724019837	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\lv-LV\mpuxagent.dll.mui.INC (copy) entropy: 7.99432056604	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mi-NZ\mpuxagent.dll.mui.INC (copy) entropy: 7.99440206642	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\Microsoft-Antimalware-Service.man.INC (copy) entropy: 7.99323101723	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\Microsoft-Windows-Windows Defender.man.INC (copy) entropy: 7.99879028028	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mk-MK\mpuxagent.dll.mui.INC (copy) entropy: 7.9939936255	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ml-IN\mpuxagent.dll.mui.INC (copy) entropy: 7.9948457671	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mr-IN\mpuxagent.dll.mui.INC (copy) entropy: 7.99517442906	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ms-MY\mpuxagent.dll.mui.INC (copy) entropy: 7.9951784993	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mt-MT\mpuxagent.dll.mui.INC (copy) entropy: 7.99481871435	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\nb-NO\MpAsDesc.dll.mui.INC (copy) entropy: 7.99725431293	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\nb-NO\MpEvMsg.dll.mui.INC (copy) entropy: 7.99692537406	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\nb-NO\mpuxagent.dll.mui.INC (copy) entropy: 7.99319614944	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ne-NP\mpuxagent.dll.mui.INC (copy) entropy: 7.99490824211	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\nl-NL\MpAsDesc.dll.mui.INC (copy) entropy: 7.997204805	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\nl-NL\MpEvMsg.dll.mui.INC (copy) entropy: 7.99721576717	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\nl-NL\mpuxagent.dll.mui.INC (copy) entropy: 7.99430112126	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\nn-NO\mpuxagent.dll.mui.INC (copy) entropy: 7.99393655774	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\or-IN\mpuxagent.dll.mui.INC (copy) entropy: 7.99501423362	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\pa-IN\mpuxagent.dll.mui.INC (copy) entropy: 7.99449178235	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\pl-PL\MpAsDesc.dll.mui.INC (copy) entropy: 7.99742284987	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\pl-PL\MpEvMsg.dll.mui.INC (copy) entropy: 7.99681718594	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\pl-PL\mpuxagent.dll.mui.INC (copy) entropy: 7.99471007352	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\Powershell\MSFT_MpPerformanceRecording.psm1.INC (copy) entropy: 7.99770689023	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\Powershell\MSFT_MpPerformanceReport.Format.ps1xml.INC (copy) entropy: 7.99819463794	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\Powershell\MSFT_MpPreference.cdxml.INC (copy) entropy: 7.99836100428	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ProtectionManagement.mof.INC (copy) entropy: 7.99827746027	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\pt-BR\MpAsDesc.dll.mui.INC (copy) entropy: 7.99662108557	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\pt-BR\MpEvMsg.dll.mui.INC (copy) entropy: 7.99710225696	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\pt-BR\mpuxagent.dll.mui.INC (copy) entropy: 7.99406922349	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\pt-BR\ProtectionManagement.dll.mui.INC (copy) entropy: 7.99719492151	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\pt-PT\MpAsDesc.dll.mui.INC (copy) entropy: 7.99773287209	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\pt-PT\MpEvMsg.dll.mui.INC (copy) entropy: 7.99689069877	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\pt-PT\mpuxagent.dll.mui.INC (copy) entropy: 7.99466739158	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\quz-PE\mpuxagent.dll.mui.INC (copy) entropy: 7.99510925439	Jump to dropped file
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ro-RO\MpAsDesc.dll.mui.INC (copy) entropy: 7.99734467686	Jump to dropped file

Source: C:\Users\user\Desktop\jokLq9gHyc.exe

Code function: 0_2_00F54E00: CreateFileW,GetLastError,DeviceIoControl,GetLastError,CloseHandle,

0_2_00F54E00

Source: C:\Users\user\Desktop\jokLq9gHyc.exe	Code function: lstrcmpiW,lstrcpyW,GetModuleHandleW,GetModuleFileNameW,lstrcpyW,lstrcatW,lstrcatW,OpenSCManagerW,CreateServiceW,GetLastError,GetLastError,GetLastError,GetLastError,RegCreateKeyExW,RegSetValueExW,RegSetValueExW,RegCloseKey,RegCloseKey,RegCreateKeyExW,RegSetValueExW,RegCloseKey,Wow64DisableWow64FsRedirection,CreateProcessW,CreateProcessW,GetLastError,CreateProcessW, shutdown.exe -r		0_2_00F58D50
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	Code function: lstrcmpiW,lstrcpyW,GetModuleHandleW,GetModuleFileNameW,lstrcpyW,lstrcatW,lstrcatW,OpenSCManagerW,CreateServiceW,GetLastError,GetLastError,GetLastError,GetLastError,RegCreateKeyExW,RegSetValueExW,RegSetValueExW,RegCloseKey,RegCloseKey,RegCreateKeyExW,RegSetValueExW,RegCloseKey,Wow64DisableWow64FsRedirection,CreateProcessW,CreateProcessW,GetLastError,CreateProcessW, C:\Windows\system32\shutdown.exe		0_2_00F58D50

Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Windows\system32\spool\PRINTERS\00002.SPL	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Windows\system32\spool\PRINTERS\00003.SPL	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Windows\system32\spool\PRINTERS\00004.SPL	Jump to behavior

Source: C:\Users\user\Desktop\jokLq9gHyc.exe	Code function: 0_2_00F574E0	0_2_00F574E0
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	Code function: 0_2_00F6987C	0_2_00F6987C
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	Code function: 0_2_00F52DE0	0_2_00F52DE0
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	Code function: 0_2_00F655CE	0_2_00F655CE
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	Code function: 0_2_00F58990	0_2_00F58990
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	Code function: 0_2_00F5C540	0_2_00F5C540
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	Code function: 0_2_00F65120	0_2_00F65120
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	Code function: 0_2_00F51110	0_2_00F51110
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	Code function: 0_2_00F5C76F	0_2_00F5C76F

Source: C:\Users\user\Desktop\jokLq9gHyc.exe

Code function: String function: 00F54800 appears 35 times

Source: jokLq9gHyc.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.rans.expl.evad.winEXE@7/1430@0/1

Source: C:\Users\user\Desktop\jokLq9gHyc.exe

Code function: 0_2_00F571E0 SetNamedSecurityInfoW,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,

0_2_00F571E0

Source: C:\Users\user\Desktop\jokLq9gHyc.exe

Code function: lstrcmpiW,lstrcpyW,GetModuleHandleW,GetModuleFileNameW,lstrcpyW,lstrcatW,lstrcatW,OpenSCManagerW,CreateServiceW,GetLastError,GetLastError,GetLastError,GetLastError,RegCreateKeyExW,RegSetValueExW,RegSetValueExW,RegCloseKey,RegCloseKey,RegCreateKeyExW,RegSetValueExW,RegCloseKey,Wow64DisableWow64FsRedirection,CreateProcessW,CreateProcessW,GetLastError,CreateProcessW,

0_2_00F58D50

Source: C:\Users\user\Desktop\jokLq9gHyc.exe

Code function: 0_2_00F57110 CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,_wcsstr,OpenProcess,TerminateProcess,CloseHandle,Process32NextW,CloseHandle,

0_2_00F57110

Source: C:\Users\user\Desktop\jokLq9gHyc.exe

Code function: 0_2_00F5BD23 LockResource,

0_2_00F5BD23

Source: C:\Users\user\Desktop\jokLq9gHyc.exe

File created: C:\Users\INC-README.html

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7428:120:WilError_03

Source: C:\Users\user\Desktop\jokLq9gHyc.exe

File created: C:\ProgramData\Microsoft\Diagnosis\Temp\INC-README.html

Jump to behavior

Source: jokLq9gHyc.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\jokLq9gHyc.exe

File read: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\jokLq9gHyc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: jokLq9gHyc.exe

ReversingLabs: Detection: 78%

Source: jokLq9gHyc.exe	String found in binary or memory: --helpDisplay this message
Source: jokLq9gHyc.exe	String found in binary or memory: --helpDisplay this message
Source: jokLq9gHyc.exe	String found in binary or memory: --help
Source: jokLq9gHyc.exe	String found in binary or memory: --help
Source: jokLq9gHyc.exe	String found in binary or memory: --helpDisplay this message
Source: jokLq9gHyc.exe	String found in binary or memory: --helpDisplay this message
Source: jokLq9gHyc.exe	String found in binary or memory: --helpDisplay this message
Source: jokLq9gHyc.exe	String found in binary or memory: --helpDisplay this message
Source: jokLq9gHyc.exe	String found in binary or memory: shutdown.exe -rC:\Windows\system32\shutdown.exe--file--dir--sup--ens--lhd--debug--kill--help--hide--mode[*] Count of arguments: %d
Source: jokLq9gHyc.exe	String found in binary or memory: shutdown.exe -rC:\Windows\system32\shutdown.exe--file--dir--sup--ens--lhd--debug--kill--help--hide--mode[*] Count of arguments: %d

Source: unknown	Process created: C:\Users\user\Desktop\jokLq9gHyc.exe "C:\Users\user\Desktop\jokLq9gHyc.exe"
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\FXSSVC.exe C:\Windows\system32\fxssvc.exe
Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE /insertdoc "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\{A2E7CF79-C90D-485A-A37F-868BC5C92F80}.xps" 133765767541360000
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe OfficeC2RClient.exe /error PID=7504 ProcessName="Microsoft OneNote" UIType=3 ErrorSource=0x8b10082a ErrorCode=0x800c0006 ShowUI=1
Source: unknown	Process created: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe "C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe" -ServerName:microsoft.onenoteim.AppXxqb9ypsz6cs1w07e1pmjy4ww4dy9tpqr.mca
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe OfficeC2RClient.exe /error PID=7504 ProcessName="Microsoft OneNote" UIType=3 ErrorSource=0x8b10082a ErrorCode=0x800c0006 ShowUI=1	Jump to behavior

Source: C:\Users\user\Desktop\jokLq9gHyc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	Section loaded: print.printsupport.source.dll	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	Section loaded: prnfldr.dll	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	Section loaded: prnfldr.dll	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	Section loaded: prnfldr.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: tapi32.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: credui.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: fxstiff.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: fxsresm.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: ualapi.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: fxst30.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: fxsroute.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: msoimm.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: mso98imm.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: mso40uiimm.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: mso30imm.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: mso20imm.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: oneclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: onmainim.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: msvcp140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: concrt140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: mso50imm.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: mso30imm.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: mso20imm.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: msvcp140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: vccorlib140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: msvcp140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: mso50imm.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: mso30imm.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: mso20imm.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: msvcp140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: msvcp140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: msvcp140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: office.ui.xaml.onenote.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: react.uwp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: chakra.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: icuuc.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: icuin.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: icu.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: windows.ui.xaml.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: windows.storage.applicationdata.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: windows.staterepositoryclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: uiamanager.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: windows.ui.core.textinput.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: windows.applicationmodel.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: profext.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: windows.system.profile.retailinfo.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: threadpoolwinrt.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: windows.graphics.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: directmanipulation.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: rometadata.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: windows.system.remotedesktop.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: windows.system.profile.systemid.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: clipc.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: windows.networking.connectivity.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: office.ui.xaml.core.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: windows.ui.xaml.controls.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: windows.applicationmodel.lockscreen.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: wincorlib.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: lockappbroker.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: webservices.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: windows.security.authentication.web.core.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: windows.networking.hostname.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: windows.energy.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: aadwamextension.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: windows.system.diagnostics.telemetry.platformtelemetryclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: windows.web.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: windows.applicationmodel.store.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: cabinet.dll	Jump to behavior

Source: C:\Users\user\Desktop\jokLq9gHyc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4a04656d-52aa-49de-8a09-cb178760e748}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: jokLq9gHyc.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: jokLq9gHyc.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: C:\Users\user\Desktop\jokLq9gHyc.exe

Code function: 0_2_00F56C70 LoadLibraryW,GetProcAddress,

0_2_00F56C70

Source: C:\Users\user\Desktop\jokLq9gHyc.exe

Code function: 0_2_00F59FD6 push ecx; ret

0_2_00F59FE9

Source: jokLq9gHyc.exe

Binary or memory string: ServiceSYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmksvcSYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmksvcbcdedit.exe /set {default} safeboot networkC:\Windows\system32\bcdedit.exe[-] Failed to enter safe mode! %d

Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\$WinREAgent\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\$WinREAgent\Scratch\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\PerfLogs\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Adobe\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Adobe\ARM\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5}\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\dbg\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\AppV\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\AppV\Setup\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\MachineData\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\MachineData\Integration\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\MachineData\Integration\ShortcutBackups\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\UserData\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Crypto\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Crypto\DSS\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Crypto\DSS\MachineKeys\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Crypto\Keys\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Crypto\PCPKSP\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Crypto\PCPKSP\WindowsAIK\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Crypto\RSA\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Crypto\SystemKeys\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-GB\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-GB\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\DeviceSync\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\CustomTraceProfiles\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\DownloadedScenarios\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\ETLLogs\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\ETLLogs\Autologger\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\ETLLogs\ScenarioShutdownLogger\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\EventTranscript\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\FeedbackHub\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\LocalTraceStore\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\ScenariosSqlStore\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\Sideload\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\Siufloc\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\SoftLanding\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\SoftLandingStage\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\Temp\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\Temp\DiagTrackTraceSlot_alternativeTrace\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\Temp\DiagTrackTraceSlot_aot\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\Temp\DiagTrackTraceSlot_diag\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\Temp\DiagTrackTraceSlot_miniTrace\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\TenantStorage\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\TenantStorage\P-ARIA\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Diagnosis\TimeTravelDebuggingStorage\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\DiagnosticLogCSP\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\DiagnosticLogCSP\Channels\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\DiagnosticLogCSP\DeviceStateData\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\DRM\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\DRM\Server\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\EdgeUpdate\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\EdgeUpdate\Log\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\IdentityCRL\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\IdentityCRL\INT\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\IdentityCRL\production\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\MapData\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\MF\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\NetFramework\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Network\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Network\Connections\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Network\Downloader\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Office\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Provisioning\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Provisioning\AssetCache\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Provisioning\AssetCache\CellularUx\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Search\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Search\Data\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Search\Data\Applications\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Search\Data\Temp\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Settings\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Settings\Accounts\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\SmsRouter\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Spectrum\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Speech_OneCore\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Storage Health\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\UEV\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\UEV\InboxTemplates\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\UEV\Scripts\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\UEV\Templates\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\User Account Pictures\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Vault\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\WDF\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Clean Store\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\NisBackup\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Updates\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{744D5067-632F-490D-A7F8-522F3DDB7ACB}\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\DLPCache\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\DLPCache\FileEvidence\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\DLPCache\NetworkFilesMappingStubs\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Features\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\LocalCopy\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Network Inspection System\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Network Inspection System\Support\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\af-ZA\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\am-ET\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ar-SA\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\as-IN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\az-Latn-AZ\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\bg-BG\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\bn-IN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\bs-Latn-BA\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ca-ES\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ca-ES-valencia\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\Catalogs\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\cs-CZ\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\cy-GB\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\da-DK\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\de-DE\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\Drivers\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\el-GR\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\en-GB\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\en-US\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\es-ES\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\es-MX\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\et-EE\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\eu-ES\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fa-IR\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fi-FI\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fil-PH\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fr-CA\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fr-FR\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ga-IE\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\gd-GB\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\gl-ES\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\gu-IN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\he-IL\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\hi-IN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\hr-HR\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\hu-HU\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\id-ID\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\is-IS\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\it-IT\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ja-JP\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ka-GE\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\kk-KZ\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\km-KH\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\kn-IN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ko-KR\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\kok-IN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\lb-LU\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\lo-LA\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\lt-LT\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\lv-LV\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mi-NZ\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mk-MK\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ml-IN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mr-IN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ms-MY\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mt-MT\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\nb-NO\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ne-NP\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\nl-NL\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\nn-NO\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\or-IN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\pa-IN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\pl-PL\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\Powershell\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\pt-BR\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\pt-PT\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\quz-PE\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ro-RO\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ru-RU\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sk-SK\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sl-SI\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sq-AL\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sr-Cyrl-BA\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sr-Cyrl-RS\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sr-Latn-RS\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sv-SE\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ta-IN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\te-IN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\th-TH\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\tr-TR\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\tt-RU\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ug-CN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\uk-UA\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ur-PK\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\vi-VN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\en-GB\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\en-US\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\zh-CN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\zh-TW\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Quarantine\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Quarantine\Entries\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Quarantine\ResourceData\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Quarantine\ResourceData\E3\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Quarantine\Resources\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Quarantine\Resources\E3\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\BackupStore\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\ReportLatency\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\ReportLatency\Latency\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\ReportLatency\Latency\19\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\00\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\01\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\03\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\04\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\05\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\06\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\07\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\08\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\15\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\21\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Snapshots\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Support\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Temp\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows NT\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows NT\MSFax\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows NT\MSFax\ActivityLog\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\en-GB\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows NT\MSFax\Inbox\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows NT\MSFax\Queue\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows NT\MSFax\SentItems\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\en-GB\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows NT\MSScan\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Security Health\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\Windows Security Health\Logs\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\WinMSIPC\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\WinMSIPC\Server\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft\WwanSvc\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft OneDrive\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Microsoft OneDrive\setup\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Package Cache\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages\vcRuntimeAdditional_amd64\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Package Cache\{D5D19E2F-7189-42FE-8103-92CD1FA457C2}v14.36.32532\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Package Cache\{D5D19E2F-7189-42FE-8103-92CD1FA457C2}v14.36.32532\packages\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Package Cache\{D5D19E2F-7189-42FE-8103-92CD1FA457C2}v14.36.32532\packages\vcRuntimeMinimum_amd64\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.549981C3F5F10_8wekyb3d8bbwe\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.549981C3F5F10_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1001\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.549981C3F5F10_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.549981C3F5F10_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\SystemAppData\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1001\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\SystemAppData\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.Getstarted_8wekyb3d8bbwe\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.Getstarted_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1001\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.Getstarted_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.Getstarted_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\SystemAppData\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.Microsoft3DViewer_8wekyb3d8bbwe\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.Microsoft3DViewer_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1001\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.Microsoft3DViewer_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.Microsoft3DViewer_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\SystemAppData\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\SystemAppData\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1001\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\SystemAppData\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\SystemAppData\Helium\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\SystemAppData\Helium\Cache\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.MixedReality.Portal_8wekyb3d8bbwe\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.MixedReality.Portal_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1001\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.MixedReality.Portal_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.MixedReality.Portal_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\SystemAppData\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1001\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\SystemAppData\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\S-1-5-21-2246122658-3693405117-2476756634-1001\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\S-1-5-21-2246122658-3693405117-2476756634-1002\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\regid.1991-06.com.microsoft\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\SoftwareDistribution\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\ssh\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\USOShared\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\USOShared\Logs\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\USOShared\Logs\User\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\WindowsHolographicDevices\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\ProgramData\WindowsHolographicDevices\SpatialStore\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Recovery\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\Default\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\Default\Desktop\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\Default\Documents\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\Default\Downloads\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\Default\Favorites\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\Default\Links\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\Default\Music\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\Default\OneDrive\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\Default\Pictures\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\Default\Saved Games\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\Default\Videos\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\.ms-ad\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\3D Objects\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\Contacts\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\Desktop\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\Desktop\CURQNKVOIX\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\Desktop\DVWHKMNFNN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\Desktop\HTAGVDFUIE\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\Desktop\JSDNGYCOWY\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\Desktop\KZWFNRXYKI\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\Desktop\ZTGJILHXQB\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\Documents\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\Documents\CURQNKVOIX\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\Documents\DVWHKMNFNN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\Documents\HTAGVDFUIE\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\Documents\JSDNGYCOWY\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\Documents\KZWFNRXYKI\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\Documents\ZTGJILHXQB\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\Downloads\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\Favorites\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\Favorites\Links\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\Links\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\Music\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\OneDrive\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\Pictures\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\Pictures\Camera Roll\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\Pictures\Saved Pictures\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\Recent\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\Saved Games\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\Searches\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\user\Videos\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\Public\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\Public\AccountPictures\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\Public\Desktop\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\Public\Documents\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\Public\Downloads\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\Public\Libraries\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\Public\Music\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\Public\Pictures\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File created: C:\Users\Public\Videos\INC-README.txt	Jump to behavior

Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\jokLq9gHyc.exe

Code function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,GetLastError,GetLastError,GetLastError,CloseServiceHandle,EnumServicesStatusExW,CloseServiceHandle,

0_2_00F56F70

Source: C:\Users\user\Desktop\jokLq9gHyc.exe	Code function: 0_2_00F549A0 Sleep,lstrcmpiW,lstrcpyW,lstrcatW,FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcpyW,lstrcatW,lstrcatW,FindNextFileW,FindClose,		0_2_00F549A0
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	Code function: 0_2_00F54AE0 lstrcpyW,lstrcatW,FindFirstFileW,lstrcmpiW,Sleep,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcpyW,lstrcatW,lstrcatW,lstrcmpiW,lstrcmpiW,lstrcpyW,lstrcatW,lstrcatW,lstrlenW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,_wcsstr,lstrcpyW,lstrcatW,Sleep,InterlockedExchangeAdd,CreateThread,FindNextFileW,FindClose,		0_2_00F54AE0

Source: C:\Users\user\Desktop\jokLq9gHyc.exe

Code function: 0_2_00F556A0 GetSystemInfo,CreateIoCompletionPort,CreateThread,CreateThread,

0_2_00F556A0

Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File opened: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File opened: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\NisBackup\	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File opened: C:\ProgramData\Microsoft\Windows Defender\	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File opened: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File opened: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\	Jump to behavior
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	File opened: C:\ProgramData\Microsoft\Windows Defender\Clean Store\	Jump to behavior

Source: OfficeC2RClient.exe, 0000000C.00000003.2686029977.000001ED27C95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677847056.000001ED27C94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27C8E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2674621626.000001ED27C8E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2689872711.000001ED27C95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696851520.000001ED27C95000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWf
Source: OfficeC2RClient.exe, 0000000C.00000003.2689872711.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696851520.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2674621626.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2686029977.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: onenoteim.exe, 0000000E.00000002.2984894761.00000229D538C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\jokLq9gHyc.exe

Code function: 0_2_00F5F4C6 lstrcmpiW,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00F5F4C6

Source: C:\Users\user\Desktop\jokLq9gHyc.exe

Code function: 0_2_00F56C70 LoadLibraryW,GetProcAddress,

0_2_00F56C70

Source: C:\Users\user\Desktop\jokLq9gHyc.exe

Code function: 0_2_00F5E0A3 mov eax, dword ptr fs:[00000030h]

0_2_00F5E0A3

Source: C:\Users\user\Desktop\jokLq9gHyc.exe

Code function: 0_2_00F636C0 GetProcessHeap,

0_2_00F636C0

Source: C:\Users\user\Desktop\jokLq9gHyc.exe	Code function: 0_2_00F5F4C6 lstrcmpiW,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00F5F4C6
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	Code function: 0_2_00F59DB7 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00F59DB7
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	Code function: 0_2_00F596E5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00F596E5
Source: C:\Users\user\Desktop\jokLq9gHyc.exe	Code function: 0_2_00F59ED2 SetUnhandledExceptionFilter,	0_2_00F59ED2

Source: C:\Users\user\Desktop\jokLq9gHyc.exe

Code function: 0_2_00F57280 AllocateAndInitializeSid,SetEntriesInAclW,SetNamedSecurityInfoW,SetNamedSecurityInfoW,GetCurrentProcess,OpenProcessToken,SetNamedSecurityInfoW,SetNamedSecurityInfoW,FreeSid,LocalFree,CloseHandle,

0_2_00F57280

Source: C:\Users\user\Desktop\jokLq9gHyc.exe

Code function: 0_2_00F59FED cpuid

0_2_00F59FED

Source: C:\Windows\System32\FXSSVC.exe	Queries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\Queue\TSTA595.tmp VolumeInformation	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Queries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\TSTA596.tmp VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Queries volume information: C:\Windows\Fonts\segoeuisl.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\offsymsl.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\offsymsl.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsymsl.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsymsl.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\offsymsl.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\offsymsl.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\jokLq9gHyc.exe

Code function: 0_2_00F59CA6 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00F59CA6

Source: C:\Users\user\Desktop\jokLq9gHyc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: jokLq9gHyc.exe, 00000000.00000003.2018276391.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, jokLq9gHyc.exe, 00000000.00000003.1982982592.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, jokLq9gHyc.exe, 00000000.00000003.1994645038.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, jokLq9gHyc.exe, 00000000.00000003.2024753850.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, jokLq9gHyc.exe, 00000000.00000003.1981744549.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, jokLq9gHyc.exe, 00000000.00000003.1990850655.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, jokLq9gHyc.exe, 00000000.00000003.1997539203.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, jokLq9gHyc.exe, 00000000.00000003.1949911374.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, jokLq9gHyc.exe, 00000000.00000003.1992545511.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, jokLq9gHyc.exe, 00000000.00000003.1938746807.0000000000AC9000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	2 Data Encrypted for Impact
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 Windows Service	1 Access Token Manipulation	2 Obfuscated Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Bluetooth	1 System Shutdown/Reboot
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	1 Bootkit	1 Windows Service	1 DLL Side-Loading	Security Account Manager	1 System Service Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	1 Defacement
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Process Injection	11 Masquerading	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Access Token Manipulation	LSA Secrets	25 System Information Discovery	SSH	Keylogging	1 Proxy	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Process Injection	Cached Domain Credentials	31 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Bootkit	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
jokLq9gHyc.exe	79%	ReversingLabs	Win32.Ransomware.Raninc
jokLq9gHyc.exe	100%	Avira	TR/Ransom.ijywv
jokLq9gHyc.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://useraudit.o365auditrealtimeingestion.manage.office.com7~	0%	Avira URL Cloud	safe
https://ofcrecsvcapi-int.azurewebsites.net/6c	0%	Avira URL Cloud	safe
https://dataservice.o365filtering.com/uQq	0%	Avira URL Cloud	safe
https://login.windows.localB$	0%	Avira URL Cloud	safe
https://api.cortana.aiWN	0%	Avira URL Cloud	safe
https://settings.outlook.comv	0%	Avira URL Cloud	safe
https://useraudit.o365auditrealtimeingestion.manage.office.com%q	0%	Avira URL Cloud	safe
https://api.onedrive.comM	0%	Avira URL Cloud	safe
https://api.diagnostics.office.comAT	0%	Avira URL Cloud	safe
https://api.diagnosticssdf.office.comcU	0%	Avira URL Cloud	safe
https://substrate.office.comu	0%	Avira URL Cloud	safe
https://lookup.onenote.com/lookup/geolocation/v16	0%	Avira URL Cloud	safe
https://substrate.office.comt	0%	Avira URL Cloud	safe
https://substrate.office.comQ	0%	Avira URL Cloud	safe
https://substrate.office.comd	0%	Avira URL Cloud	safe
https://devnull.onenote.comMBI_SSL_SHORT	0%	Avira URL Cloud	safe
https://management.azure.comz	0%	Avira URL Cloud	safe
https://substrate.office.comv	0%	Avira URL Cloud	safe
https://incidents.diagnostics.office.comNb	0%	Avira URL Cloud	safe
https://officepyservice.office.net/2	0%	Avira URL Cloud	safe
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechj	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
svc.ms-acdc-teams.office.com	52.123.255.71	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnostics.office.com?SK	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679323499.000001ED280DF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680609584.000001ED280E2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	false		high
https://shell.suite.office.com:1443	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679323499.000001ED280DF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680609584.000001ED280E2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://designerapp.azurewebsites.net	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://autodiscover-s.outlook.com/	OfficeC2RClient.exe, 0000000C.00000003.2686029977.000001ED27C95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677847056.000001ED27C94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27C8E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2674621626.000001ED27C8E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2689872711.000001ED27C95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696851520.000001ED27C95000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2987265350.00000229D7A00000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2128978316.00000229D775A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7750000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986783874.00000229D775C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://useraudit.o365auditrealtimeingestion.manage.office.com	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680923985.000001ED280C4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.diagnostics.office.comAT	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679323499.000001ED280DF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680609584.000001ED280E2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://outlook.office365.com/connectors	OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2698430105.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679935669.000001ED280AA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985285505.00000229D660E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.entity.	OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679419055.000001ED280EB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679323499.000001ED280DF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2698430105.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679935669.000001ED280AA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680609584.000001ED280EE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2699528931.000001ED280EE000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986328426.00000229D761B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2987265350.00000229D7A00000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.cortana.aiWN	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679419055.000001ED280EB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679323499.000001ED280DF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680609584.000001ED280EE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2699528931.000001ED280EE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680923985.000001ED280C4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679609032.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681338159.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2695499627.000001ED2758C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2692240102.000001ED2758B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677601900.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	false		high
https://consent.config.office.com/consentweb/v1.0/consentson=	OfficeC2RClient.exe, 0000000C.00000003.2677048163.000001ED27D94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155520866.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155200588.000001ED27D8D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2697788167.000001ED27D9C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154063932.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2687154061.000001ED27D94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153395018.000001ED27D95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152737705.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156635399.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp	false		high
https://rpsticket.partnerservices.getmicrosoftkey.com	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lookup.onenote.com/lookup/geolocation/v1	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2700700475.000001ED28152000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679609032.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681338159.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683508627.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2695499627.000001ED2758C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684340898.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2692240102.000001ED2758B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ofcrecsvcapi-int.azurewebsites.net/6c	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680069455.000001ED280D1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684413304.000001ED280D2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.torproject.org/	jokLq9gHyc.exe, 00000000.00000002.2062331936.0000000000A0E000.00000004.00000020.00020000.00000000.sdmp, INC-README.txt194.0.dr, INC-README.html22.0.dr, INC-README.html151.0.dr, INC-README.html182.0.dr, INC-README.txt233.0.dr, INC-README.txt197.0.dr, INC-README.txt187.0.dr, INC-README.txt59.0.dr, INC-README.txt201.0.dr, INC-README.txt110.0.dr, INC-README.txt85.0.dr, INC-README.txt16.0.dr, INC-README.html147.0.dr, INC-README.html89.0.dr, INC-README.html161.0.dr, INC-README.html2.0.dr, INC-README.txt103.0.dr, INC-README.html232.0.dr, INC-README.txt49.0.dr, INC-README.txt71.0.dr	false		high
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2698430105.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679935669.000001ED280AA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	false		high
https://useraudit.o365auditrealtimeingestion.manage.office.com7~	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680923985.000001ED280C4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.aadrm.com/	OfficeC2RClient.exe, 0000000C.00000003.2677847056.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2686029977.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696851520.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2689872711.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986328426.00000229D761B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.windows.localB$	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://canary.designerapp.	OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.diagnosticssdf.office.comcU	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679323499.000001ED280DF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680609584.000001ED280E2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://clients.config.office.net/user/v1.0/android/policiesM~	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680923985.000001ED280C4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	false		high
https://settings.outlook.comv	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://useraudit.o365auditrealtimeingestion.manage.office.com%q	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680923985.000001ED280C4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.onedrive.comM	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280A1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.yammer.com	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D6633000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679419055.000001ED280EB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679323499.000001ED280DF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680609584.000001ED280EE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2699528931.000001ED280EE000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2987416583.00000229D7A5E000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveApp	OfficeC2RClient.exe, 0000000C.00000003.2677847056.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2686029977.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696851520.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2689872711.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.microsoftstream.com/api/	OfficeC2RClient.exe, 0000000C.00000003.2677048163.000001ED27D94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155520866.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155200588.000001ED27D8D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679609032.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681338159.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154063932.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2695499627.000001ED2758C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2687154061.000001ED27D94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2697850827.000001ED27DA8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153395018.000001ED27D95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2692240102.000001ED2758B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152737705.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677601900.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156635399.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2687510101.000001ED27DA1000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986739032.00000229D774E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cr.office.com	OfficeC2RClient.exe, 0000000C.00000003.2677847056.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2686029977.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696851520.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2689872711.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2128199523.00000229D77D7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dataservice.o365filtering.com/uQq	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679323499.000001ED280DF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680609584.000001ED280E2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://messagebroker.mobile.m365.svc.cloud.microsoft	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2128978316.00000229D775A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2114954008.00000229D6635000.00000004.00000020.00020000.00000000.sdmp	false		high
https://otelrules.svc.static.microsoft	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679323499.000001ED280DF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680609584.000001ED280E2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://edge.skype.com/registrar/prod	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677048163.000001ED27D94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155520866.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155200588.000001ED27D8D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2697788167.000001ED27D9C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683508627.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154063932.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2687154061.000001ED27D94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153395018.000001ED27D95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684340898.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp	false		high
https://res.getmicrosoftkey.com/api/redemptionevents	OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tasks.office.com	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2987265350.00000229D7A00000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://officeci.azurewebsites.net/api/	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677048163.000001ED27D94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155520866.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155200588.000001ED27D8D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679323499.000001ED280DF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154063932.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2687154061.000001ED27D94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2697850827.000001ED27DA8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153395018.000001ED27D95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680609584.000001ED280E2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lookup.onenote.com/lookup/geolocation/v16	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2700700475.000001ED28152000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683508627.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684340898.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://my.microsoftpersonalcontent.com	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681230210.000001ED2813C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2682600256.000001ED2813F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2700388303.000001ED28147000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.windows.net/common/oauth2/authorize%	OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.office.cn/addinstemplate	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684908476.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2701085811.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683965745.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677443931.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162638622.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153597937.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2114954008.00000229D6635000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.windows.net/common/oauth2/authorize&	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2700700475.000001ED28152000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683508627.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684340898.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	false		high
https://messaging.engagement.office.com/	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684908476.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155520866.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2701085811.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155200588.000001ED27D8D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683965745.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677443931.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154063932.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153395018.000001ED27D95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162638622.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152737705.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153597937.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156635399.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp	false		high
https://templatesmetadata.office.net/$	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	false		high
https://outlook.office365.com/connectorsPb	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680069455.000001ED280D1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684413304.000001ED280D2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	false		high
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2698430105.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679935669.000001ED280AA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986328426.00000229D761B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.odwebp.svc.ms	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2987265350.00000229D7A00000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.powerbi.com/v1.0/myorg/groups	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680069455.000001ED280D1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679609032.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681338159.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2695499627.000001ED2758C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684413304.000001ED280D2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2692240102.000001ED2758B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677601900.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp	false		high
https://web.microsoftstream.com/video/	OfficeC2RClient.exe, 0000000C.00000003.2677048163.000001ED27D94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155520866.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155200588.000001ED27D8D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679609032.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681338159.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154063932.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2695499627.000001ED2758C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2687154061.000001ED27D94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2697850827.000001ED27DA8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153395018.000001ED27D95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2692240102.000001ED2758B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152737705.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677601900.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156635399.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2687510101.000001ED27DA1000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.addins.store.officeppe.com/addinstemplate	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2700700475.000001ED28152000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683508627.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684340898.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2114954008.00000229D6635000.00000004.00000020.00020000.00000000.sdmp	false		high
https://substrate.office.comv	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://graph.windows.net	OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	false		high
https://substrate.office.comu	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://substrate.office.comt	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://learningtools.onenote.com/learningtoolsapi/v2.0/GetvoicesV	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	false		high
https://o365auditrealtimeingestion.manage.office.com/api/userauditrecordD	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2698430105.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679935669.000001ED280AA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	false		high
https://messaging.action.office.com/setuseraction16V	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2700700475.000001ED28152000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683508627.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684340898.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	false		high
https://consent.config.office.com/consentcheckin/v1.0/consents	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680923985.000001ED280C4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D6633000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp	false		high
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://templatesmetadata.office.net/N	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683508627.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684340898.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2698430105.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679935669.000001ED280AA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	false		high
https://substrate.office.comd	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681230210.000001ED2813C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://notification.m365.svc.cloud.microsoft/PushNotifications.Register	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2128978316.00000229D775A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7750000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985568812.00000229D6644000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986783874.00000229D775C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://d.docs.live.net	OfficeC2RClient.exe, 0000000C.00000003.2677847056.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2686029977.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696851520.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2689872711.000001ED27D28000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	false		high
https://edge.skype.com/rpsMBI_SSLskype.com	OfficeC2RClient.exe, 0000000C.00000003.2677048163.000001ED27D94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155520866.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155200588.000001ED27D8D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2697788167.000001ED27D9C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154063932.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2687154061.000001ED27D94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153395018.000001ED27D95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152737705.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156635399.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp	false		high
https://onedrive.live.com/embed?J	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684908476.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2701085811.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683965745.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677443931.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162638622.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153597937.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	false		high
https://safelinks.protection.outlook.com/api/GetPolicy	OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ncus.contentsync.	OfficeC2RClient.exe, 0000000C.00000002.2701085811.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155200588.000001ED27D8D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683965745.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677443931.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154063932.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153395018.000001ED27D95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162638622.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152737705.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153597937.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156635399.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115950966.00000229D7781000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115157094.00000229D6639000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2116042295.00000229D7798000.00000004.00000020.00020000.00000000.sdmp	false		high
https://service.officepy.microsoftusercontent.com/6	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2700700475.000001ED28152000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683508627.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684340898.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	false		high
https://management.azure.comz	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	false		high
http://weather.service.msn.com/data.aspx	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680069455.000001ED280D1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684413304.000001ED280D2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2128199523.00000229D77D7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://officepyservice.office.net/2	OfficeC2RClient.exe, 0000000C.00000003.2677048163.000001ED27D94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155520866.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155200588.000001ED27D8D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154063932.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2687154061.000001ED27D94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153395018.000001ED27D95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152737705.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156635399.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2687510101.000001ED27DA1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://substrate.office.comQ	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://substrate.office.comP	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2987265350.00000229D7A00000.00000004.00000020.00020000.00000000.sdmp	false		high
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680923985.000001ED280C4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	false		high
https://devnull.onenote.comMBI_SSL_SHORT	OfficeC2RClient.exe, 0000000C.00000003.2155520866.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155200588.000001ED27D8D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154063932.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153395018.000001ED27D95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152737705.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156635399.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115950966.00000229D7781000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2116042295.00000229D7798000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://mss.office.com	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683508627.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684340898.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2128978316.00000229D775A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986783874.00000229D775C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://pushchannel.1drv.ms	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684541770.000001ED28177000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2701199456.000001ED28178000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678979662.000001ED28174000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677443931.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162638622.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153597937.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115201795.00000229D663D000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2987265350.00000229D7A00000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115157094.00000229D6639000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2128978316.00000229D775A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://incidents.diagnostics.office.comNb	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680069455.000001ED280D1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684413304.000001ED280D2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wus2.contentsync.	OfficeC2RClient.exe, 0000000C.00000002.2701085811.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155200588.000001ED27D8D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683965745.000001ED28168000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677443931.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154063932.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2687154061.000001ED27D94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2697850827.000001ED27DA8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153395018.000001ED27D95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162638622.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152737705.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2153597937.000001ED28166000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156635399.000001ED27D99000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2687510101.000001ED27DA1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.windows.net/common/oauth2/authorizee	OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	false		high
https://clients.config.office.net/user/v1.0/ios	OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2688355857.000001ED25BDA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2688999885.000001ED25C32000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	false		high
http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/	jokLq9gHyc.exe, 00000000.00000002.2062331936.0000000000A0E000.00000004.00000020.00020000.00000000.sdmp, INC-README.txt194.0.dr, INC-README.html22.0.dr, INC-README.html151.0.dr, INC-README.html182.0.dr, INC-README.txt233.0.dr, INC-README.txt197.0.dr, INC-README.txt187.0.dr, INC-README.txt59.0.dr, INC-README.txt201.0.dr, INC-README.txt110.0.dr, INC-README.txt85.0.dr, INC-README.txt16.0.dr, INC-README.html147.0.dr, INC-README.html89.0.dr, INC-README.html161.0.dr, INC-README.html2.0.dr, INC-README.txt103.0.dr, INC-README.html232.0.dr, INC-README.txt49.0.dr, INC-README.txt71.0.dr	false		high
https://api.addins.omex.office.net/api/addins/search	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D6633000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.windows.net/common/oauth2/authorizeX	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	false		high
https://outlook.office365.com/api/v1.0/me/Activities	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679609032.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681338159.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2695499627.000001ED2758C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2692240102.000001ED2758B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677601900.000001ED2758A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.windows.net/common/oauth2/authorizeP	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	false		high
https://service.officepy.microsoftusercontent.com/ovid8(.D	OfficeC2RClient.exe, 0000000C.00000003.2677048163.000001ED27D94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2697788167.000001ED27D9C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2687154061.000001ED27D94000.00000004.00000020.00020000.00000000.sdmp	false		high
https://clients.config.office.net/user/v1.0/android/policies	OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	false		high
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechj	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678473200.000001ED2808F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678886010.000001ED2809C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2698430105.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2679935669.000001ED280AA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680822392.000001ED280AB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://login.windows.net/common/oauth2/authorizeU	OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	false		high
https://entitlement.diagnostics.office.com	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680069455.000001ED280D1000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678810908.000001ED280CA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684413304.000001ED280D2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115263491.00000229D662B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.windows.net/common/oauth2/authorizeV	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2700700475.000001ED28152000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2681156060.000001ED2814D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2689872711.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696851520.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2674621626.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680394858.000001ED28116000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2683508627.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2684340898.000001ED28151000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2686029977.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	false		high
https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.jsonD	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680513268.000001ED28103000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678575626.000001ED280F9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp	false		high
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED2809A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2158878381.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2680923985.000001ED280C4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2156741198.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2678376387.000001ED280B4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2154244946.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2155619310.000001ED2808D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677201162.000001ED28077000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2152908320.000001ED2807D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2162778852.000001ED2808E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2676682105.000001ED28072000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7790000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2985509654.00000229D6613000.00000004.00000020.00020000.00000000.sdmp	false		high
https://outlook.office.com/	OfficeC2RClient.exe, 0000000C.00000003.2686029977.000001ED27C95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2137299656.000001ED27D5D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2677847056.000001ED27C94000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2163078757.000001ED27C8E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2674621626.000001ED27C8E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2689872711.000001ED27C95000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2136845392.000001ED28061000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000002.2696851520.000001ED27C95000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2124868356.00000229D77DF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2987265350.00000229D7A00000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2128978316.00000229D775A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2115025588.00000229D7750000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2986783874.00000229D775C000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
52.123.255.71	svc.ms-acdc-teams.office.com	United States		8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1559341
Start date and time:	2024-11-20 12:44:24 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	jokLq9gHyc.exe renamed because original name is a hash value
Original Sample Name:	36e3c83e50a19ad1048dab7814f3922631990578aab0790401bc67dbcc90a72e.exe
Detection:	MAL
Classification:	mal100.rans.expl.evad.winEXE@7/1430@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 21 Number of non-executed functions: 36
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, RuntimeBroker.exe, printfilterpipelinesvc.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.109.28.46, 13.107.42.16
Excluded domains from analysis (whitelisted): ecs.office.com, fs.microsoft.com, config.edge.skype.com.trafficmanager.net, slscr.update.microsoft.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com, licensing.mp.microsoft.com, ocsp.digicert.com, login.live.com, l-0007.config.skype.com, config-edge-skype.l-0007.l-msedge.net, config.officeapps.live.com, officeclient.microsoft.com, ecs.office.trafficmanager.net, l-0007.l-msedge.net, config.edge.skype.com, manage.devcenter.microsoft.com, europe.configsvc1.live.com.akadns.net, uks-azsc-config.officeapps.live.com, mira.config.skype.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtWriteFile calls found.
VT rate limit hit for: jokLq9gHyc.exe

Simulations

Behavior and APIs

Time	Type	Description
06:46:00	API Interceptor	1x Sleep call for process: OfficeC2RClient.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
svc.ms-acdc-teams.office.com	file.exe	Get hash	malicious	Amadey, Cryptbot, Stealc, Vidar	Browse	52.123.242.140
	c39-EmprisaMaldoc.rtf	Get hash	malicious	Unknown	Browse	52.123.242.191
	Viridium-gruppe shared ''v_iridium-gruppe_441826776_12.11.2024''.msg	Get hash	malicious	Unknown	Browse	52.123.255.64
	rPO3799039985.exe	Get hash	malicious	Remcos, GuLoader	Browse	52.123.251.14
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	52.123.242.159
	SecuriteInfo.com.Trojan.GenericKD.74442994.24259.8937.exe	Get hash	malicious	Unknown	Browse	52.123.243.92
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	52.123.243.94
	Seeking Assistance for Legal Assistance in a Medical Matter.msg	Get hash	malicious	Unknown	Browse	52.123.243.81
	https://1drv.ms/b/c/7bab8803aa446446/EVRHiu8efYZAkD-YFD5xQmIBzT5hMnGkyiNpwrnOj-mH_g	Get hash	malicious	HTMLPhisher	Browse	52.123.224.72
	file.exe	Get hash	malicious	Unknown	Browse	52.123.243.83

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	LInp9ekGwk.exe	Get hash	malicious	INC Ransomware	Browse	52.123.224.74
	https://hffa.studycentrecpfc.com/D9ns6.studycentrecpfc.com/bUhZb/	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.45
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	94.245.104.56
	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.60
	PayeeAdvice_HK54912_R0038704_37504.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	13.107.43.12
	https://c9amf220.caspio.com/dp/3ba5e0002add93b7ba4f4d22b51d	Get hash	malicious	Unknown	Browse	150.171.28.10
	https://github.com/bambulab/BambuStudio/releases/download/v01.10.01.50/Bambu_Studio_win_public-v01.10.01.50-20241115162711.exe	Get hash	malicious	Unknown	Browse	13.107.42.16
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	13.107.246.60
	Salary 2025- workers-v1.xls	Get hash	malicious	Unknown	Browse	13.107.246.42

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	LInp9ekGwk.exe	Get hash	malicious	INC Ransomware	Browse	52.123.255.71
	sus.ps1	Get hash	malicious	LummaC	Browse	52.123.255.71
	file.exe	Get hash	malicious	LummaC	Browse	52.123.255.71
	AaronGiles(1).exe	Get hash	malicious	PureCrypter	Browse	52.123.255.71
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	52.123.255.71
	file.exe	Get hash	malicious	LummaC	Browse	52.123.255.71
	IBKB.vbs	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	52.123.255.71
	file.exe	Get hash	malicious	LummaC	Browse	52.123.255.71
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	52.123.255.71
	Salary 2025- workers-v1.xls	Get hash	malicious	Unknown	Browse	52.123.255.71

Process:	C:\Users\user\Desktop\jokLq9gHyc.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	8321
Entropy (8bit):	4.63324893068508
Encrypted:	false
SSDEEP:	192:+uhiEu4HaRjJcWQkyK5TuljeYSM3O41fPFsMDKeCU:1i/8K5zYPFFsMDKFU
MD5:	293B6073872DF4F3492C483CECE06514
SHA1:	D48F6BCF0D6F47ADE74B5E16E103F6F6DECF3A18
SHA-256:	E2300A37A0B2A0D9D93806D14539B074BD77D85D3777DEDD33C4F15F8356D4E9
SHA-512:	965E318FF415B43AE0A73DCFBE9D5B853A7FB308712E111B261D3E6284F391F9428A5C43E1EBA42BE7565B7F35A8F1DBE16041BC6F4E4809F085FA76AF89DEBA
Malicious:	true
Reputation:	low
Preview:	<html>...<head>....<title>INC Ransom</title>...</head>...<body style="width: 100%; height: 100%; display: flex; flex-direction: column; justify-content: center; align-items: center; overflow: hidden;">....<div style="display: flex; justify-content: space-between; max-width: 80%; overflow-y: auto;">.....<div style="width: 80%;">.. <div style="display: flex; flex-direction: column;">.. <span style="font-size: 20px; font-weight: 600;">Your data is stolen and encrypted.</span>.. <span style="font-size: 14px; margin-top: 8px;">If you don't pay the ransom, the data will be published on our TOR darknet sites.</span>.. <span style="font-size: 14px;">The sooner you pay the ransom, the sooner your company will be safe.</span>.. </div>.. <div style="display: flex; flex-direction: column; margin-top: 16px;">.. <span style="font-size: 20px; font-weight: 600;">Blog Tor Browser Lin

Process:	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	180335
Entropy (8bit):	5.289211690744735
Encrypted:	false
SSDEEP:	1536:Bi2XfRAqFbH4wglEwLe7HW8QM/o/NMOcAZl1p5ihs7EXXNEADpOoa5YdGVF8S7CC:0Re7HW8QM/o/aXSb1x
MD5:	ED81DC96EB9CE739F2C67CCE8C37BC37
SHA1:	681488C986D9ED6ACF8F44EDBF80328486B81717
SHA-256:	FAE70A70E91C7C90A547CA36CFC048C043A4D2EA7039B86B657A5E6665C7412C
SHA-512:	F40E6F77432BDF60308DC786D9631DC013BCE2E6C33E63D2E38B89263A55B5472ADCB1F40E4025C0EC1347ADC66F4072EC31C06B894C1BD2161010228D41C78F
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-11-20T11:46:02">.. Build: 16.0.18307.40125-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[

Process:	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	53
Entropy (8bit):	3.9556155603764607
Encrypted:	false
SSDEEP:	3:LvTVUDNTYimGRbZn:fuYtGXn
MD5:	CECF719C71A5BBBA319EE09A7C27C111
SHA1:	04AE708D71B7CEF32C4F28E9609E9F10972DD815
SHA-256:	F6F96B1D30FFDF447EBB01857A2D6545AED227F62ABB74E8C45EEE07A5A8C618
SHA-512:	73AEE630500E07C3502C6BF8373067D0EEFF519948FB3DC9E12CB163CB40978C7C38272088A6AF299DEFD9D15EC230C6943F59EFB6B1AB1ED5CA7BDDB03671FD
Malicious:	false
Preview:	1732103160125..C7719C89-0F19-4962-99E4-8F239EBA6521..

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	6.714589728661187
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	jokLq9gHyc.exe
File size:	164'864 bytes
MD5:	485573e162551f66f776923126e5b5ff
SHA1:	c1f4507c3f8eb24279e0b47a1523500e62cb0764
SHA256:	36e3c83e50a19ad1048dab7814f3922631990578aab0790401bc67dbcc90a72e
SHA512:	b26706dd0fc92019f85b287fb778d34d163fbcda987477f9a3635863e4ff7bd412782fac961ea03616a7687a08deaeec23e26c3ff6a97deacd460030c7700de3
SSDEEP:	3072:+dBK6dRsjHRvsGWO3G+gSB9ssYIeuV0lbGkZSQ5:2ajHOuVg9w0R5UQ5
TLSH:	25F38D60BEC09871E6B7193109B8DAF1993CFE312B3058DB1B94667A4E709E25570F3B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......0.V.t.8^t.8^t.8^...^}.8^...^..8^...^l.8^..;_g.8^..=_V.8^..<_g.8^}..^g.8^t.9^..8^..1_~.8^..:_u.8^Richt.8^........PE..L......e...

Entrypoint:	0x409a34
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x65D0AED9 [Sat Feb 17 13:04:25 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	9571cd5d48bd42b28bbbbb83862e75ac

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2646c	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2b000	0x143c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x25d30	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x25d68	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1b000	0x2a8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x19bba	0x19c00	d7cddf25c17f86e22fa50375deb42bca	False	0.5423050667475728	data	6.656356509434083	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1b000	0xc3ec	0xc400	5c70b915ff135a8b4ad460a06c2b4fd1	False	0.43197943239795916	data	5.929472061954344	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x28000	0x12d0	0x800	8564c208ac9f40c45b5e64be3e4a679f	False	0.16943359375	data	2.067145370405176	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.gfids	0x2a000	0xb0	0x200	352d484bb23725bbc3debfa7be017a5b	False	0.279296875	data	1.5433233772290145	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2b000	0x143c	0x1600	cf0e2014b2f71269bc1d28aa5d56645c	False	0.7542613636363636	data	6.388155907744713	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

DLL	Import
KERNEL32.dll	GetCurrentProcessId, InterlockedIncrement, CreateIoCompletionPort, GetCurrentProcess, GetTempPathW, CreateToolhelp32Snapshot, Process32NextW, Process32FirstW, LoadLibraryW, GetProcAddress, LocalFree, GetTickCount, EnterCriticalSection, LeaveCriticalSection, MoveFileExW, GetCommandLineW, Wow64DisableWow64FsRedirection, GetModuleFileNameW, ExitProcess, CreateProcessW, GetModuleHandleW, GetFileSizeEx, WriteConsoleW, HeapReAlloc, HeapSize, GetConsoleMode, GetConsoleCP, FlushFileBuffers, SetFilePointerEx, GetSystemInfo, lstrcpyA, InterlockedDecrement, SetFileAttributesW, PostQueuedCompletionStatus, OpenProcess, GetFileAttributesW, SetEndOfFile, GetQueuedCompletionStatus, WaitForMultipleObjects, TerminateProcess, GetProcessHeap, GetStringTypeW, SetStdHandle, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCPInfo, GetOEMCP, ReadFile, GetDriveTypeW, lstrcmpiW, FindNextVolumeW, FindFirstFileW, lstrcpyW, GetVolumePathNamesForVolumeNameW, FindVolumeClose, SetVolumeMountPointW, CreateThread, CloseHandle, InterlockedExchangeAdd, lstrcatW, GetLastError, Sleep, CreateFileW, WaitForSingleObject, FindClose, lstrlenA, DeviceIoControl, WriteFile, lstrlenW, IsValidCodePage, FindNextFileA, FindFirstFileExA, FindNextFileW, FindFirstVolumeW, GetConsoleWindow, GetFileType, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, SetLastError, RtlUnwind, RaiseException, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, GetStdHandle, GetModuleFileNameA, MultiByteToWideChar, WideCharToMultiByte, GetModuleHandleExW, GetCommandLineA, GetACP, HeapFree, HeapAlloc, CompareStringW, LCMapStringW, DecodePointer
USER32.dll	SystemParametersInfoW, GetSystemMetrics, GetDC, ShowWindow, ReleaseDC, DrawTextA
GDI32.dll	SetTextColor, BitBlt, CreateCompatibleBitmap, SelectObject, CreateDIBSection, GetTextExtentPoint32A, CreateCompatibleDC, CreateFontW, DeleteDC, SetBkMode, SetBkColor, DeleteObject
WINSPOOL.DRV	WritePrinter, EnumPrintersW, EndPagePrinter, StartDocPrinterW, OpenPrinterW, StartPagePrinter, EndDocPrinter, ClosePrinter
ADVAPI32.dll	EnumServicesStatusExW, RegOpenKeyW, QueryServiceStatusEx, CreateServiceW, RegCreateKeyExW, LookupPrivilegeValueW, AdjustTokenPrivileges, RegCloseKey, CryptAcquireContextW, CloseServiceHandle, OpenSCManagerW, AllocateAndInitializeSid, SetEntriesInAclW, SetNamedSecurityInfoW, ControlService, EnumDependentServicesW, RegSetValueExW, OpenProcessToken, FreeSid, OpenServiceW, CryptGenRandom
SHELL32.dll	CommandLineToArgvW, SHEmptyRecycleBinA
CRYPT32.dll	CryptStringToBinaryA
MPR.dll	WNetOpenEnumW, WNetEnumResourceW, WNetCloseEnum

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 20, 2024 12:46:02.978295088 CET	49744	443	192.168.2.4	52.123.255.71
Nov 20, 2024 12:46:02.978341103 CET	443	49744	52.123.255.71	192.168.2.4
Nov 20, 2024 12:46:02.978398085 CET	49744	443	192.168.2.4	52.123.255.71
Nov 20, 2024 12:46:02.978817940 CET	49744	443	192.168.2.4	52.123.255.71
Nov 20, 2024 12:46:02.978830099 CET	443	49744	52.123.255.71	192.168.2.4
Nov 20, 2024 12:46:03.790467024 CET	443	49744	52.123.255.71	192.168.2.4
Nov 20, 2024 12:46:03.790556908 CET	49744	443	192.168.2.4	52.123.255.71
Nov 20, 2024 12:46:03.792284966 CET	49744	443	192.168.2.4	52.123.255.71
Nov 20, 2024 12:46:03.792295933 CET	443	49744	52.123.255.71	192.168.2.4
Nov 20, 2024 12:46:03.792648077 CET	443	49744	52.123.255.71	192.168.2.4
Nov 20, 2024 12:46:03.793601990 CET	49744	443	192.168.2.4	52.123.255.71
Nov 20, 2024 12:46:03.835328102 CET	443	49744	52.123.255.71	192.168.2.4
Nov 20, 2024 12:46:04.207587957 CET	443	49744	52.123.255.71	192.168.2.4
Nov 20, 2024 12:46:04.207613945 CET	443	49744	52.123.255.71	192.168.2.4
Nov 20, 2024 12:46:04.207688093 CET	49744	443	192.168.2.4	52.123.255.71
Nov 20, 2024 12:46:04.207707882 CET	443	49744	52.123.255.71	192.168.2.4
Nov 20, 2024 12:46:04.212415934 CET	443	49744	52.123.255.71	192.168.2.4
Nov 20, 2024 12:46:04.212460995 CET	443	49744	52.123.255.71	192.168.2.4
Nov 20, 2024 12:46:04.212496996 CET	49744	443	192.168.2.4	52.123.255.71
Nov 20, 2024 12:46:04.212507010 CET	443	49744	52.123.255.71	192.168.2.4
Nov 20, 2024 12:46:04.212568045 CET	49744	443	192.168.2.4	52.123.255.71
Nov 20, 2024 12:46:04.297334909 CET	443	49744	52.123.255.71	192.168.2.4
Nov 20, 2024 12:46:04.297359943 CET	443	49744	52.123.255.71	192.168.2.4
Nov 20, 2024 12:46:04.297405005 CET	49744	443	192.168.2.4	52.123.255.71
Nov 20, 2024 12:46:04.297415972 CET	443	49744	52.123.255.71	192.168.2.4
Nov 20, 2024 12:46:04.297442913 CET	49744	443	192.168.2.4	52.123.255.71
Nov 20, 2024 12:46:04.298163891 CET	443	49744	52.123.255.71	192.168.2.4
Nov 20, 2024 12:46:04.298185110 CET	443	49744	52.123.255.71	192.168.2.4
Nov 20, 2024 12:46:04.298221111 CET	49744	443	192.168.2.4	52.123.255.71
Nov 20, 2024 12:46:04.298227072 CET	443	49744	52.123.255.71	192.168.2.4
Nov 20, 2024 12:46:04.298259974 CET	49744	443	192.168.2.4	52.123.255.71
Nov 20, 2024 12:46:04.347146988 CET	49744	443	192.168.2.4	52.123.255.71
Nov 20, 2024 12:46:04.385377884 CET	443	49744	52.123.255.71	192.168.2.4
Nov 20, 2024 12:46:04.385411024 CET	443	49744	52.123.255.71	192.168.2.4
Nov 20, 2024 12:46:04.385497093 CET	49744	443	192.168.2.4	52.123.255.71
Nov 20, 2024 12:46:04.385528088 CET	443	49744	52.123.255.71	192.168.2.4
Nov 20, 2024 12:46:04.385556936 CET	49744	443	192.168.2.4	52.123.255.71
Nov 20, 2024 12:46:04.385569096 CET	49744	443	192.168.2.4	52.123.255.71
Nov 20, 2024 12:46:04.386734962 CET	443	49744	52.123.255.71	192.168.2.4
Nov 20, 2024 12:46:04.386756897 CET	443	49744	52.123.255.71	192.168.2.4
Nov 20, 2024 12:46:04.386820078 CET	49744	443	192.168.2.4	52.123.255.71
Nov 20, 2024 12:46:04.386840105 CET	443	49744	52.123.255.71	192.168.2.4
Nov 20, 2024 12:46:04.386900902 CET	49744	443	192.168.2.4	52.123.255.71
Nov 20, 2024 12:46:04.386902094 CET	443	49744	52.123.255.71	192.168.2.4
Nov 20, 2024 12:46:04.386945009 CET	49744	443	192.168.2.4	52.123.255.71
Nov 20, 2024 12:46:04.390350103 CET	49744	443	192.168.2.4	52.123.255.71
Nov 20, 2024 12:46:04.390383959 CET	443	49744	52.123.255.71	192.168.2.4
Nov 20, 2024 12:46:04.390403032 CET	49744	443	192.168.2.4	52.123.255.71
Nov 20, 2024 12:46:04.390412092 CET	443	49744	52.123.255.71	192.168.2.4

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 20, 2024 12:46:02.975527048 CET	1.1.1.1	192.168.2.4	0xb0c1	No error (0)	svc.ha-teams.office.com	svc.ms-acdc-teams.office.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 20, 2024 12:46:02.975527048 CET	1.1.1.1	192.168.2.4	0xb0c1	No error (0)	svc.ms-acdc-teams.office.com		52.123.255.71	A (IP address)	IN (0x0001)	false
Nov 20, 2024 12:46:02.975527048 CET	1.1.1.1	192.168.2.4	0xb0c1	No error (0)	svc.ms-acdc-teams.office.com		52.123.242.160	A (IP address)	IN (0x0001)	false
Nov 20, 2024 12:46:02.975527048 CET	1.1.1.1	192.168.2.4	0xb0c1	No error (0)	svc.ms-acdc-teams.office.com		52.123.242.150	A (IP address)	IN (0x0001)	false
Nov 20, 2024 12:46:02.975527048 CET	1.1.1.1	192.168.2.4	0xb0c1	No error (0)	svc.ms-acdc-teams.office.com		52.123.242.180	A (IP address)	IN (0x0001)	false

Timestamp	Bytes transferred	Direction	Data
2024-11-20 11:46:03 UTC	838	OUT	GET /config/v2/Office/officeclicktorun/16.0.16827.20130/Production/CC?&EcsCanary=1&Clientid=%7b7423E565-A626-48D4-A186-93E31FBB3F25%7d&Application=officeclicktorun&Platform=win32&Version=16.0.16827.20130&MsoVersion=16.0.16827.20130&ProcessName=officec2rclient.exe&Audience=Production&Build=ship&Architecture=x64&PerpetualLicense=2019&LicenseCategory=3&LicenseSKU=ProPlusRetail&OsVersion=10.0&OsBuild=19045&Channel=CC&InstallType=C2R&SessionId=%7b100658EF-A533-49E4-A927-AF364CADE8B9%7d&LabMachine=false HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip If-None-Match: "sSWlHUzHyGOmlDUj/sBFzQkl+48fO8GHL0RWhOFrydE=" User-Agent: Microsoft Office 2014 DisableExperiments: false X-ECS-Client-Last-Telemetry-Events: ecs_client_library_name=MSO,ecs_client_app_name=Office,ecs_client_version=16.0.16827.20130 Host: ecs.office.com
2024-11-20 11:46:04 UTC	1179	IN	HTTP/1.1 200 OK Cache-Control: no-cache,max-age=43200 Content-Length: 81198 Content-Type: application/json Expires: Wed, 20 Nov 2024 23:46:04 GMT ETag: "I4m6dCbX8nVTJmsGMu/rAq/NiYjWqbqaMXRdwksqdPk=" Server: Microsoft-IIS/10.0 request-id: f57d0712-431f-a35e-c902-0813b3eb6402 X-BackEndHttpStatus: 200 X-Content-Type-Options: nosniff X-Frame-Options: DENY Strict-Transport-Security: max-age=31536000; includeSubDomains Report-To: {"group":"NelEcsUpload1","max_age":604800,"endpoints":[{"url":"https://ecs.nel.measure.office.net?TenantId=Office&DestinationEndpoint=MIRA-WW-PA7&FrontEnd=MIRA"}],"include_subdomains":true} NEL: {"report_to":"NelEcsUpload1","max_age":604800,"include_subdomains":true,"failure_fraction":1.0,"success_fraction":0.01} X-Proxy-RoutingCorrectness: 1 X-MSEdge-Ref: MIRA: f57d0712-431f-a35e-c902-0813b3eb6402 PA7P264CA0394 2024-11-20T11:46:03.949Z Alt-Svc: h3=":443";ma=2592000,h3-29=":443";ma=2592000 X-Proxy-BackendServerStatus: 200 X-FirstHopCafeEFZ: CDG X-FEProxyInfo: PA7P264CA0394.FRAP264.PROD.OUTLOOK.COM X-FEEFZInfo: CDG X-Powered-By: ASP.NET X-FEServer: PA7P264CA0394 Date: Wed, 20 Nov 2024 11:46:03 GMT Connection: close
2024-11-20 11:46:04 UTC	1952	IN	Data Raw: 7b 22 45 43 53 22 3a 7b 22 43 6f 6e 66 69 67 4c 6f 67 54 61 72 67 65 74 22 3a 22 64 65 66 61 75 6c 74 22 2c 22 63 37 32 65 61 32 38 37 2d 65 64 37 37 2d 34 66 61 36 2d 61 34 38 30 2d 33 37 31 32 34 30 36 63 33 36 37 65 22 3a 22 61 6b 61 2e 6d 73 2f 45 63 73 43 61 6e 61 72 79 22 2c 22 44 69 73 61 62 6c 65 43 6f 6e 66 69 67 4c 6f 67 22 3a 74 72 75 65 2c 22 43 61 63 68 65 45 78 70 69 72 79 49 6e 4d 69 6e 22 3a 37 32 30 2c 22 45 6e 61 62 6c 65 53 6d 61 72 74 45 54 61 67 22 3a 31 2c 22 43 6f 6e 66 69 67 49 64 44 65 6c 69 6d 69 74 65 72 49 6e 4c 6f 67 22 3a 22 3b 22 7d 2c 22 4e 61 6e 63 79 4f 66 66 69 63 65 54 65 61 6d 22 3a 7b 22 7a 68 65 74 61 6e 34 31 32 32 30 32 31 22 3a 74 72 75 65 7d 2c 22 4f 66 66 69 63 65 5f 41 63 63 65 73 73 22 3a 7b 22 55 73 65 46 6f Data Ascii: {"ECS":{"ConfigLogTarget":"default","c72ea287-ed77-4fa6-a480-3712406c367e":"aka.ms/EcsCanary","DisableConfigLog":true,"CacheExpiryInMin":720,"EnableSmartETag":1,"ConfigIdDelimiterInLog":";"},"NancyOfficeTeam":{"zhetan4122021":true},"Office_Access":{"UseFo
2024-11-20 11:46:04 UTC	13740	IN	Data Raw: 75 65 2c 22 55 70 64 61 74 65 4c 6f 63 6b 73 63 72 65 65 6e 41 70 70 73 54 6f 4b 69 6c 6c 22 3a 22 75 63 6d 61 70 69 2e 65 78 65 2c 6c 79 6e 63 68 74 6d 6c 63 6f 6e 76 2e 65 78 65 2c 6c 79 6e 63 2e 65 78 65 2c 73 6b 79 70 65 2e 65 78 65 2c 73 65 61 72 63 68 70 72 6f 74 6f 63 6f 6c 68 6f 73 74 2e 65 78 65 2c 6f 73 66 69 6e 73 74 61 6c 6c 65 72 2e 65 78 65 2c 6d 73 6f 73 79 6e 63 2e 65 78 65 2c 6e 61 6d 65 63 6f 6e 74 72 6f 6c 73 65 72 76 65 72 2e 65 78 65 2c 6f 6e 65 6e 6f 74 65 6d 2e 65 78 65 2c 70 65 72 66 62 6f 6f 73 74 2e 65 78 65 2c 67 72 6f 6f 76 65 2e 65 78 65 2c 6d 73 6f 69 61 2e 65 78 65 2c 6f 66 66 69 63 65 62 61 63 6b 67 72 6f 75 6e 64 74 61 73 6b 68 61 6e 64 6c 65 72 2e 65 78 65 2c 6d 73 6f 61 73 62 2e 65 78 65 2c 73 64 78 68 65 6c 70 65 72 2e Data Ascii: ue,"UpdateLockscreenAppsToKill":"ucmapi.exe,lynchtmlconv.exe,lync.exe,skype.exe,searchprotocolhost.exe,osfinstaller.exe,msosync.exe,namecontrolserver.exe,onenotem.exe,perfboost.exe,groove.exe,msoia.exe,officebackgroundtaskhandler.exe,msoasb.exe,sdxhelper.
2024-11-20 11:46:04 UTC	16384	IN	Data Raw: 63 68 52 65 71 75 65 73 74 45 6e 61 62 6c 65 64 22 3a 74 72 75 65 2c 22 47 72 61 6d 6d 61 72 43 68 65 63 6b 69 6e 67 2e 42 72 61 7a 69 6c 69 61 6e 43 6f 6e 74 72 61 63 74 65 64 50 72 65 70 6f 73 69 74 69 6f 6e 73 22 3a 74 72 75 65 2c 22 49 43 72 69 74 69 71 75 65 2e 4c 6f 67 47 72 61 6d 6d 61 72 46 6c 61 67 45 64 69 74 73 22 3a 74 72 75 65 2c 22 47 72 61 6d 6d 61 72 43 68 65 63 6b 69 6e 67 2e 42 72 61 7a 69 6c 69 61 6e 49 6e 63 6f 72 72 65 63 74 53 65 71 75 65 6e 63 65 4f 66 50 72 65 70 6f 73 69 74 69 6f 6e 73 22 3a 74 72 75 65 2c 22 47 72 61 6d 6d 61 72 43 68 65 63 6b 69 6e 67 2e 49 74 61 6c 69 61 6e 43 61 70 69 74 61 6c 69 7a 61 74 69 6f 6e 4f 66 43 6f 6d 6d 6f 6e 4e 6f 75 6e 73 22 3a 74 72 75 65 2c 22 44 6f 63 45 78 70 6f 72 74 2e 41 64 64 43 68 69 6c Data Ascii: chRequestEnabled":true,"GrammarChecking.BrazilianContractedPrepositions":true,"ICritique.LogGrammarFlagEdits":true,"GrammarChecking.BrazilianIncorrectSequenceOfPrepositions":true,"GrammarChecking.ItalianCapitalizationOfCommonNouns":true,"DocExport.AddChil
2024-11-20 11:46:04 UTC	16384	IN	Data Raw: 75 6e 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 7d 7d 7d 2c 22 44 6f 63 75 6d 65 6e 74 4e 6f 74 69 66 69 63 61 74 69 6f 6e 73 22 3a 7b 22 45 76 65 6e 74 73 22 3a 7b 22 52 65 67 69 73 74 65 72 4f 6e 49 64 6c 65 46 65 61 74 75 72 65 47 61 74 65 44 69 73 61 62 6c 65 64 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 7d 7d 7d 2c 22 4d 72 75 53 65 72 76 69 63 65 41 70 69 22 3a 7b 22 53 75 62 4e 61 6d 65 73 70 61 63 65 73 22 3a 7b 22 44 6f 63 75 6d 65 6e 74 73 22 3a 7b 22 45 76 65 6e 74 73 22 3a 7b 22 52 65 61 64 52 65 71 75 65 73 74 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 7d 2c 22 57 72 69 74 65 52 65 71 75 65 73 74 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 7d 2c 22 4f 6e 52 65 71 75 65 73 74 53 75 63 63 65 65 64 65 64 22 3a 7b 22 45 76 65 Data Ascii: un":{"EventFlag":2}}},"DocumentNotifications":{"Events":{"RegisterOnIdleFeatureGateDisabled":{"EventFlag":2}}},"MruServiceApi":{"SubNamespaces":{"Documents":{"Events":{"ReadRequest":{"EventFlag":2},"WriteRequest":{"EventFlag":2},"OnRequestSucceeded":{"Eve
2024-11-20 11:46:04 UTC	16384	IN	Data Raw: 6c 65 64 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 35 31 32 7d 2c 22 43 6f 6d 69 6e 67 53 6f 6f 6e 54 43 53 48 57 4e 44 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 7d 2c 22 4e 6f 46 69 6c 65 45 78 74 65 6e 73 69 6f 6e 49 63 6f 6e 4d 61 70 70 69 6e 67 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 7d 7d 2c 22 53 75 62 4e 61 6d 65 73 70 61 63 65 73 22 3a 7b 22 53 44 58 22 3a 7b 22 53 75 62 4e 61 6d 65 73 70 61 63 65 73 22 3a 7b 22 4d 65 43 6f 6e 74 72 6f 6c 22 3a 7b 22 45 76 65 6e 74 73 22 3a 7b 22 54 72 61 63 6b 65 64 53 63 65 6e 61 72 69 6f 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 7d 7d 7d 7d 7d 2c 22 54 65 61 63 68 69 6e 67 43 61 6c 6c 6f 75 74 22 3a 7b 22 45 76 65 6e 74 73 22 3a 7b 22 54 65 61 63 68 69 6e 67 43 61 6c 6c 6f 75 74 41 6c 72 Data Ascii: led":{"EventFlag":512},"ComingSoonTCSHWND":{"EventFlag":2},"NoFileExtensionIconMapping":{"EventFlag":2}},"SubNamespaces":{"SDX":{"SubNamespaces":{"MeControl":{"Events":{"TrackedScenario":{"EventFlag":2}}}}},"TeachingCallout":{"Events":{"TeachingCalloutAlr
2024-11-20 11:46:04 UTC	16354	IN	Data Raw: 5f 55 43 49 22 3a 7b 22 53 68 61 72 65 64 53 65 72 70 6c 65 74 46 65 61 74 75 72 65 47 61 74 65 34 22 3a 74 72 75 65 2c 22 41 75 74 68 6f 72 69 6e 67 41 73 73 69 73 74 2e 53 65 74 41 75 74 68 6f 72 69 6e 67 41 73 73 69 73 74 45 6e 61 62 6c 65 64 46 6f 72 49 64 65 6e 74 69 74 79 4f 6e 49 6e 69 74 22 3a 66 61 6c 73 65 2c 22 45 6e 61 62 6c 65 55 6e 68 65 61 6c 74 68 4d 6f 6e 69 74 6f 72 69 6e 67 22 3a 66 61 6c 73 65 2c 22 54 65 6c 6c 4d 65 2e 50 61 72 61 6d 65 74 65 72 54 65 72 6d 50 72 65 64 69 63 74 69 6f 6e 45 6e 61 62 6c 65 64 22 3a 74 72 75 65 2c 22 52 65 73 65 61 72 63 68 65 72 2e 4e 6f 64 65 4a 53 57 65 62 50 61 67 65 45 78 74 72 61 63 74 6f 72 22 3a 74 72 75 65 2c 22 54 65 6c 6c 4d 65 2e 48 65 6c 70 50 72 6f 76 69 64 65 72 45 6e 61 62 6c 65 64 22 3a Data Ascii: _UCI":{"SharedSerpletFeatureGate4":true,"AuthoringAssist.SetAuthoringAssistEnabledForIdentityOnInit":false,"EnableUnhealthMonitoring":false,"TellMe.ParameterTermPredictionEnabled":true,"Researcher.NodeJSWebPageExtractor":true,"TellMe.HelpProviderEnabled":

Target ID:	0
Start time:	06:45:20
Start date:	20/11/2024
Path:	C:\Users\user\Desktop\jokLq9gHyc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\jokLq9gHyc.exe"
Imagebase:	0xf50000
File size:	164'864 bytes
MD5 hash:	485573E162551F66F776923126E5B5FF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_INCRansomware, Description: Yara detected INC Ransomware, Source: 00000000.00000003.2049780481.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_INCRansomware, Description: Yara detected INC Ransomware, Source: 00000000.00000003.2058728567.0000000000AA4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_INCRansomware, Description: Yara detected INC Ransomware, Source: 00000000.00000003.2049590953.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_INCRansomware, Description: Yara detected INC Ransomware, Source: 00000000.00000003.2055621435.0000000002550000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_INCRansomware, Description: Yara detected INC Ransomware, Source: 00000000.00000003.2022940644.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_INCRansomware, Description: Yara detected INC Ransomware, Source: 00000000.00000003.2058573420.0000000002550000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_INCRansomware, Description: Yara detected INC Ransomware, Source: 00000000.00000002.2062331936.0000000000A0E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_INCRansomware, Description: Yara detected INC Ransomware, Source: 00000000.00000003.2057493253.0000000002550000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	9
Start time:	06:45:54
Start date:	20/11/2024
Path:	C:\Windows\System32\FXSSVC.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\fxssvc.exe
Imagebase:	0x7ff650be0000
File size:	663'552 bytes
MD5 hash:	8C6D3BF6997E02544BE68D43DABE2F39
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Target ID:	10
Start time:	06:45:55
Start date:	20/11/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE
Wow64 process (32bit):	true
Commandline:	/insertdoc "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\{A2E7CF79-C90D-485A-A37F-868BC5C92F80}.xps" 133765767541360000
Imagebase:	0x1c0000
File size:	2'191'768 bytes
MD5 hash:	0061760D72416BCF5F2D9FA6564F0BEA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	12
Start time:	06:45:56
Start date:	20/11/2024
Path:	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Wow64 process (32bit):	false
Commandline:	OfficeC2RClient.exe /error PID=7504 ProcessName="Microsoft OneNote" UIType=3 ErrorSource=0x8b10082a ErrorCode=0x800c0006 ShowUI=1
Imagebase:	0x7ff781870000
File size:	26'974'216 bytes
MD5 hash:	4F025E7F9ADD3623A8B384BC0C7B18CB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Execution Coverage:	19.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	21.7%
Total number of Nodes:	2000
Total number of Limit Nodes:	51

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report jokLq9gHyc.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\$WinREAgent\INC-README.html

C:\$WinREAgent\INC-README.txt

C:\$WinREAgent\Scratch\INC-README.html

C:\$WinREAgent\Scratch\INC-README.txt

C:\INC-README.html

C:\INC-README.txt

C:\PerfLogs\INC-README.html

C:\PerfLogs\INC-README.txt

C:\ProgramData\.curlrc

C:\ProgramData\.curlrc.INC (copy)

C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320\INC-README.html

C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320\INC-README.txt

C:\ProgramData\Adobe\ARM\INC-README.html

C:\ProgramData\Adobe\ARM\INC-README.txt

C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5}\INC-README.html

C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5}\INC-README.txt

Windows Analysis Report
jokLq9gHyc.exe

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre